Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Lu4421.exe

Overview

General Information

Sample name:Lu4421.exe
Analysis ID:1577337
MD5:e5358fca58c0e1b1e29eb195fb0f4675
SHA1:a114c059fed08a501c344f40d9f702f03cdebbab
SHA256:220c04c30a7dbd084fdebe00102f6340194845d8664dfd669a5549f23a1031c4
Infos:

Detection

Stealerium
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AntiVM5
Yara detected Stealerium
Yara detected Telegram Recon
C2 URLs / IPs found in malware configuration
Found direct / indirect Syscall (likely to bypass EDR)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
PE file contains section with special chars
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Yara detected Costura Assembly Loader
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Uses taskkill to terminate processes
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64native
  • Lu4421.exe (PID: 7452 cmdline: "C:\Users\user\Desktop\Lu4421.exe" MD5: E5358FCA58C0E1B1E29EB195FB0F4675)
    • cmd.exe (PID: 6052 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\a42235a3-5c0c-493b-8363-b541a166b8b0.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 5636 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • chcp.com (PID: 7992 cmdline: chcp 65001 MD5: CA9A549C17932F9CAA154B5528EBD8D4)
      • taskkill.exe (PID: 3660 cmdline: taskkill /F /PID 7452 MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • timeout.exe (PID: 5372 cmdline: timeout /T 2 /NOBREAK MD5: 100065E21CFBBDE57CBA2838921F84D6)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealeriumAccording to SecurityScorecard, Stealerium is an open-source stealer available on GitHub. The malware steals information from browsers, cryptocurrency wallets, and applications such as Discord, Pidgin, Outlook, Telegram, Skype, Element, Signal, Tox, Steam, Minecraft, and VPN clients. The binary also gathers data about the infected host, such as the running processes, Desktop and webcam screenshots, Wi-Fi networks, the Windows product key, and the public and private IP address. The stealer employs multiple anti-analysis techniques, such as detecting virtual machines, sandboxes, and malware analysis tools and checking if the process is being debugged. The malware also embedded a keylogger module and a clipper module that replaces cryptocurrency wallet addresses with the threat actors addresses if the victim makes a transaction. The stolen information is sent to a Discord channel using a Discord Webhook.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealerium

Malware Configuration

Threatname: Stealerium

{"C2 url": "https://szurubooru.zulipchat.com/api/v1/messages", "User": "szurubooru@gmail.com", "API key": "fgwT5umbrQdW6Y1buIWZJK6S2FVQZAeS"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
Lu4421.exeJoeSecurity_StealeriumYara detected StealeriumJoe Security
    Lu4421.exeJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      Lu4421.exeJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
        Lu4421.exeJoeSecurity_AntiVM_5Yara detected AntiVM_5Joe Security
          Lu4421.exeJoeSecurity_TelegramReconYara detected Telegram ReconJoe Security
            Click to see the 1 entries

            Memory Dumps

            SourceRuleDescriptionAuthorStrings
            00000000.00000002.27383588111.000001F5B9000000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AntiVM_5Yara detected AntiVM_5Joe Security
              00000000.00000002.27383588111.000001F5B8FFA000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AntiVM_5Yara detected AntiVM_5Joe Security
                00000000.00000002.27383588111.000001F5B8FA0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AntiVM_5Yara detected AntiVM_5Joe Security
                  00000000.00000000.27331731896.0000000000B02000.00000080.00000001.01000000.00000003.sdmpJoeSecurity_StealeriumYara detected StealeriumJoe Security
                    00000000.00000000.27331731896.0000000000B02000.00000080.00000001.01000000.00000003.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                      Click to see the 6 entries

                      Unpacked PEs

                      SourceRuleDescriptionAuthorStrings
                      0.0.Lu4421.exe.b00000.0.unpackJoeSecurity_StealeriumYara detected StealeriumJoe Security
                        0.0.Lu4421.exe.b00000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                          0.0.Lu4421.exe.b00000.0.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                            0.0.Lu4421.exe.b00000.0.unpackJoeSecurity_AntiVM_5Yara detected AntiVM_5Joe Security
                              0.0.Lu4421.exe.b00000.0.unpackINDICATOR_SUSPICIOUS_EXE_Discord_RegexDetects executables referencing Discord tokens regular expressionsditekSHen
                              • 0x387396:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}|mfa\.[a-zA-Z0-9_\-]{84}

                              Sigma Signatures

                              No Sigma rule has matched

                              Suricata Signatures

                              No Suricata rule has matched

                              Joe Sandbox Signatures

                              Click to jump to signature section

                              Show All Signature Results

                              AV Detection

                              barindex
                              Found malware configuration
                              Source: 00000000.00000000.27331731896.0000000000B02000.00000080.00000001.01000000.00000003.sdmpMalware Configuration Extractor: Stealerium {"C2 url": "https://szurubooru.zulipchat.com/api/v1/messages", "User": "szurubooru@gmail.com", "API key": "fgwT5umbrQdW6Y1buIWZJK6S2FVQZAeS"}
                              Multi AV Scanner detection for submitted file
                              Source: Lu4421.exeReversingLabs: Detection: 68%
                              Machine Learning detection for sample
                              Source: Lu4421.exeJoe Sandbox ML: detected
                              Sample uses string decryption to hide its real strings
                              Source: Lu4421.exeString decryptor:
                              Source: Lu4421.exeString decryptor:
                              Source: Lu4421.exeString decryptor:
                              Source: Lu4421.exeString decryptor:
                              Source: Lu4421.exeString decryptor:
                              Source: Lu4421.exeString decryptor: https://api.telegram.org/bot
                              Source: Lu4421.exeString decryptor: https://szurubooru.zulipchat.com/api/v1/messages
                              Source: Lu4421.exeString decryptor: szurubooru@gmail.com
                              Source: Lu4421.exeString decryptor: fgwT5umbrQdW6Y1buIWZJK6S2FVQZAeS
                              Source: unknownHTTPS traffic detected: 185.199.111.133:443 -> 192.168.11.20:49751 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 185.199.111.133:443 -> 192.168.11.20:49747 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 185.199.111.133:443 -> 192.168.11.20:49749 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 185.199.111.133:443 -> 192.168.11.20:49748 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 185.199.111.133:443 -> 192.168.11.20:49746 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 185.199.111.133:443 -> 192.168.11.20:49750 version: TLS 1.2
                              Source: Binary string: +costura.newtonsoft.json.bson.pdb.compressed source: Lu4421.exe, 00000000.00000002.27383588111.000001F5B8BA1000.00000004.00000800.00020000.00000000.sdmp
                              Source: Binary string: costura.newtonsoft.json.bson.pdb.compressed source: Lu4421.exe
                              Source: Binary string: costura.wpf.ui.pdb.compressed|||Wpf.Ui.pdb|299223DFCADFE8FD464F218CE110C10266AB22B0|139288 source: Lu4421.exe
                              Source: Binary string: .costura.icsharpcode.sharpziplib.pdb.compressed source: Lu4421.exe, 00000000.00000002.27383588111.000001F5B8BA1000.00000004.00000800.00020000.00000000.sdmp
                              Source: Binary string: costura.newtonsoft.json.bson.pdb.compressed|||Newtonsoft.Json.Bson.pdb|8D66819B2D5D4D2CFADB7660B1869A81C5DB7E9F|26968 source: Lu4421.exe
                              Source: Binary string: costura=costura.costura.dll.compressed=costura.costura.pdb.compressed/icsharpcode.sharpziplib]costura.icsharpcode.sharpziplib.dll.compressed]costura.icsharpcode.sharpziplib.pdb.compressed;microsoft.bcl.asyncinterfacesicostura.microsoft.bcl.asyncinterfaces.dll.compressed5microsoft.bcl.timeproviderccostura.microsoft.bcl.timeprovider.dll.compressed)newtonsoft.json.bsonWcostura.newtonsoft.json.bson.dll.compressedWcostura.newtonsoft.json.bson.pdb.compressed source: Lu4421.exe
                              Source: Binary string: costura.polly.pdb.compressed source: Lu4421.exe
                              Source: Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb! source: Lu4421.exe, 00000000.00000002.27378137289.0000000000E9A000.00000040.00000001.01000000.00000003.sdmp
                              Source: Binary string: costura.costura.pdb.compressed source: Lu4421.exe
                              Source: Binary string: costura.wpf.ui.pdb.compressed source: Lu4421.exe
                              Source: Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb source: Lu4421.exe, Lu4421.exe, 00000000.00000002.27378137289.0000000000E9A000.00000040.00000001.01000000.00000003.sdmp
                              Source: Binary string: !costura.polly.core.pdb.compressed source: Lu4421.exe, 00000000.00000002.27383588111.000001F5B8BA1000.00000004.00000800.00020000.00000000.sdmp
                              Source: Binary string: costura.icsharpcode.sharpziplib.pdb.compressed source: Lu4421.exe
                              Source: Binary string: costura.costura.pdb.compressed|||Costura.pdb|6C6000A5EAF8579850AB82A89BD6268776EB51AD|2608 source: Lu4421.exe
                              Source: Binary string: polly9costura.polly.dll.compressed9costura.polly.pdb.compressed source: Lu4421.exe
                              Source: Binary string: wpf.ui;costura.wpf.ui.dll.compressed;costura.wpf.ui.pdb.compressed source: Lu4421.exe
                              Source: Binary string: costura.polly.pdb.compressed|||Polly.pdb|6E4429D15FBCD96C44E391E109CB500EC2508333|83400 source: Lu4421.exe
                              Source: Binary string: costura.polly.core.pdb.compressed|||Polly.Core.pdb|C1D3F2BA348EA2F6635B8F5961AD127E831487C6|66148 source: Lu4421.exe
                              Source: Binary string: costura.icsharpcode.sharpziplib.pdb.compressed|||ICSharpCode.SharpZipLib.pdb|E1FCA83029D1440F54FB3747B240365A6DF0A598|121652 source: Lu4421.exe
                              Source: Binary string: costura.polly.core.pdb.compressed source: Lu4421.exe
                              Source: Binary string: polly.coreCcostura.polly.core.dll.compressedCcostura.polly.core.pdb.compressed source: Lu4421.exe

                              Networking

                              barindex
                              C2 URLs / IPs found in malware configuration
                              Source: Malware configuration extractorURLs: https://szurubooru.zulipchat.com/api/v1/messages
                              Source: global trafficHTTP traffic detected: GET /6nz/virustotal-vm-blacklist/main/pc_username_list.txt HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: GET /6nz/virustotal-vm-blacklist/main/pc_name_list.txt HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: GET /6nz/virustotal-vm-blacklist/main/MachineGuid.txt HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: GET /6nz/virustotal-vm-blacklist/main/processes_list.txt HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: GET /6nz/virustotal-vm-blacklist/main/gpu_list.txt HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: GET /6nz/virustotal-vm-blacklist/main/ip_list.txt HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
                              Source: Joe Sandbox ViewIP Address: 185.199.111.133 185.199.111.133
                              Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                              Source: global trafficHTTP traffic detected: GET /6nz/virustotal-vm-blacklist/main/pc_username_list.txt HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: GET /6nz/virustotal-vm-blacklist/main/pc_name_list.txt HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: GET /6nz/virustotal-vm-blacklist/main/MachineGuid.txt HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: GET /6nz/virustotal-vm-blacklist/main/processes_list.txt HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: GET /6nz/virustotal-vm-blacklist/main/gpu_list.txt HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: GET /6nz/virustotal-vm-blacklist/main/ip_list.txt HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
                              Source: global trafficDNS traffic detected: DNS query: raw.githubusercontent.com
                              Source: Lu4421.exe, 00000000.00000002.27388291322.000001F5D1218000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                              Source: Lu4421.exe, 00000000.00000002.27388291322.000001F5D11E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                              Source: Lu4421.exe, 00000000.00000002.27383588111.000001F5B8FE2000.00000004.00000800.00020000.00000000.sdmp, Lu4421.exe, 00000000.00000002.27383588111.000001F5B8FD3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://raw.githubusercontent.com
                              Source: Lu4421.exe, 00000000.00000002.27383588111.000001F5B8FA0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                              Source: Lu4421.exe, 00000000.00000002.27388291322.000001F5D1218000.00000004.00000020.00020000.00000000.sdmp, Lu4421.exe, 00000000.00000002.27388291322.000001F5D11E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.quovadis.bm0
                              Source: Lu4421.exeString found in binary or memory: https://github.com/kgnfth
                              Source: Lu4421.exeString found in binary or memory: https://github.com/kgnfth/tumblr/raw/refs/heads/main/svchost.exe
                              Source: Lu4421.exe, 00000000.00000002.27388291322.000001F5D1218000.00000004.00000020.00020000.00000000.sdmp, Lu4421.exe, 00000000.00000002.27388291322.000001F5D11E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ocsp.quovadisoffshore.com0
                              Source: Lu4421.exe, 00000000.00000002.27383588111.000001F5B8FCA000.00000004.00000800.00020000.00000000.sdmp, Lu4421.exe, 00000000.00000002.27383588111.000001F5B8FA0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com
                              Source: Lu4421.exe, 00000000.00000002.27383588111.000001F5B8FA0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com#
                              Source: Lu4421.exeString found in binary or memory: https://raw.githubusercontent.com/6nz/virustotal-vm-blacklist/main/
                              Source: Lu4421.exeString found in binary or memory: https://raw.githubusercontent.com/6nz/virustotal-vm-blacklist/main/MachineGuid.txt
                              Source: Lu4421.exeString found in binary or memory: https://raw.githubusercontent.com/6nz/virustotal-vm-blacklist/main/gpu_list.txt
                              Source: Lu4421.exeString found in binary or memory: https://raw.githubusercontent.com/6nz/virustotal-vm-blacklist/main/ip_list.txt
                              Source: Lu4421.exeString found in binary or memory: https://raw.githubusercontent.com/6nz/virustotal-vm-blacklist/main/pc_name_list.txt
                              Source: Lu4421.exeString found in binary or memory: https://raw.githubusercontent.com/6nz/virustotal-vm-blacklist/main/pc_username_list.txt
                              Source: Lu4421.exeString found in binary or memory: https://raw.githubusercontent.com/6nz/virustotal-vm-blacklist/main/processes_list.txt
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49750
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
                              Source: unknownHTTPS traffic detected: 185.199.111.133:443 -> 192.168.11.20:49751 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 185.199.111.133:443 -> 192.168.11.20:49747 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 185.199.111.133:443 -> 192.168.11.20:49749 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 185.199.111.133:443 -> 192.168.11.20:49748 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 185.199.111.133:443 -> 192.168.11.20:49746 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 185.199.111.133:443 -> 192.168.11.20:49750 version: TLS 1.2

                              System Summary

                              barindex
                              Malicious sample detected (through community Yara rule)
                              Source: Lu4421.exe, type: SAMPLEMatched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
                              Source: 0.0.Lu4421.exe.b00000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
                              Source: 00000000.00000000.27331731896.0000000000B02000.00000080.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
                              PE file contains section with special chars
                              Source: Lu4421.exeStatic PE information: section name:
                              Source: Lu4421.exeStatic PE information: section name: .idata
                              Source: Lu4421.exeStatic PE information: section name:
                              Source: C:\Users\user\Desktop\Lu4421.exeCode function: 0_2_00007FFAD6408B520_2_00007FFAD6408B52
                              Source: C:\Users\user\Desktop\Lu4421.exeCode function: 0_2_00007FFAD640AB550_2_00007FFAD640AB55
                              Source: C:\Users\user\Desktop\Lu4421.exeCode function: 0_2_00007FFAD6407DA60_2_00007FFAD6407DA6
                              Source: C:\Users\user\Desktop\Lu4421.exeCode function: 0_2_00007FFAD640DD5A0_2_00007FFAD640DD5A
                              Source: Lu4421.exe, 00000000.00000002.27382045870.000001F5B6B3F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Lu4421.exe
                              Source: Lu4421.exe, 00000000.00000002.27378085524.0000000000E96000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamestub.exe6 vs Lu4421.exe
                              Source: Lu4421.exe, 00000000.00000002.27383088853.000001F5B8990000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamestub.exe6 vs Lu4421.exe
                              Source: Lu4421.exeBinary or memory string: OriginalFilenamestub.exe6 vs Lu4421.exe
                              Source: Lu4421.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
                              Source: 0.0.Lu4421.exe.b00000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
                              Source: 00000000.00000000.27331731896.0000000000B02000.00000080.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
                              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@10/3@1/1
                              Source: C:\Users\user\Desktop\Lu4421.exeFile created: C:\Users\user\AppData\Local\14836e48a4f1130117893c60780cbd57Jump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeMutant created: NULL
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5636:120:WilError_03
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5636:304:WilStaging_02
                              Source: C:\Users\user\Desktop\Lu4421.exeFile created: C:\Users\user\AppData\Local\Temp\Stealerium-Latest.logJump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\a42235a3-5c0c-493b-8363-b541a166b8b0.bat"
                              Source: Lu4421.exeStatic file information: TRID: Win64 Executable GUI Net Framework (217006/5) 47.53%
                              Source: C:\Users\user\Desktop\Lu4421.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                              Source: C:\Users\user\Desktop\Lu4421.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                              Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( ProcessId = 7452)
                              Source: C:\Users\user\Desktop\Lu4421.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                              Source: Lu4421.exeReversingLabs: Detection: 68%
                              Source: Lu4421.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                              Source: Lu4421.exeString found in binary or memory: 3The file %s is missing. Please, re-install this application
                              Source: unknownProcess created: C:\Users\user\Desktop\Lu4421.exe "C:\Users\user\Desktop\Lu4421.exe"
                              Source: C:\Users\user\Desktop\Lu4421.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\a42235a3-5c0c-493b-8363-b541a166b8b0.bat"
                              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /F /PID 7452
                              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout /T 2 /NOBREAK
                              Source: C:\Users\user\Desktop\Lu4421.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\a42235a3-5c0c-493b-8363-b541a166b8b0.bat"Jump to behavior
                              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001Jump to behavior
                              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /F /PID 7452Jump to behavior
                              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout /T 2 /NOBREAKJump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeSection loaded: apphelp.dllJump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeSection loaded: mscoree.dllJump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeSection loaded: edgegdi.dllJump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeSection loaded: winmm.dllJump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeSection loaded: windows.storage.dllJump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeSection loaded: wldp.dllJump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeSection loaded: version.dllJump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeSection loaded: wbemcomn.dllJump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeSection loaded: amsi.dllJump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeSection loaded: userenv.dllJump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeSection loaded: profapi.dllJump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeSection loaded: cryptsp.dllJump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeSection loaded: rsaenh.dllJump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeSection loaded: cryptbase.dllJump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeSection loaded: iphlpapi.dllJump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeSection loaded: dnsapi.dllJump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeSection loaded: dhcpcsvc6.dllJump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeSection loaded: dhcpcsvc.dllJump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeSection loaded: winnsi.dllJump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeSection loaded: rasapi32.dllJump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeSection loaded: rasman.dllJump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeSection loaded: rtutils.dllJump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeSection loaded: mswsock.dllJump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeSection loaded: winhttp.dllJump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeSection loaded: rasadhlp.dllJump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeSection loaded: fwpuclnt.dllJump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeSection loaded: secur32.dllJump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeSection loaded: schannel.dllJump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeSection loaded: mskeyprotect.dllJump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeSection loaded: ntasn1.dllJump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeSection loaded: ncrypt.dllJump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeSection loaded: ncryptsslp.dllJump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeSection loaded: msasn1.dllJump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeSection loaded: gpapi.dllJump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeSection loaded: uxtheme.dllJump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeSection loaded: propsys.dllJump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeSection loaded: edputil.dllJump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeSection loaded: urlmon.dllJump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeSection loaded: iertutil.dllJump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeSection loaded: srvcli.dllJump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeSection loaded: netutils.dllJump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeSection loaded: wintypes.dllJump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeSection loaded: appresolver.dllJump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeSection loaded: bcp47langs.dllJump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeSection loaded: slc.dllJump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeSection loaded: sppc.dllJump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                              Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
                              Source: C:\Windows\System32\chcp.comSection loaded: ulib.dllJump to behavior
                              Source: C:\Windows\System32\chcp.comSection loaded: fsutilext.dllJump to behavior
                              Source: C:\Windows\System32\taskkill.exeSection loaded: version.dllJump to behavior
                              Source: C:\Windows\System32\taskkill.exeSection loaded: mpr.dllJump to behavior
                              Source: C:\Windows\System32\taskkill.exeSection loaded: framedynos.dllJump to behavior
                              Source: C:\Windows\System32\taskkill.exeSection loaded: dbghelp.dllJump to behavior
                              Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Windows\System32\taskkill.exeSection loaded: srvcli.dllJump to behavior
                              Source: C:\Windows\System32\taskkill.exeSection loaded: netutils.dllJump to behavior
                              Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Windows\System32\taskkill.exeSection loaded: edgegdi.dllJump to behavior
                              Source: C:\Windows\System32\taskkill.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\System32\taskkill.exeSection loaded: wbemcomn.dllJump to behavior
                              Source: C:\Windows\System32\taskkill.exeSection loaded: winsta.dllJump to behavior
                              Source: C:\Windows\System32\taskkill.exeSection loaded: amsi.dllJump to behavior
                              Source: C:\Windows\System32\taskkill.exeSection loaded: userenv.dllJump to behavior
                              Source: C:\Windows\System32\taskkill.exeSection loaded: profapi.dllJump to behavior
                              Source: C:\Windows\System32\timeout.exeSection loaded: version.dllJump to behavior
                              Source: C:\Windows\System32\timeout.exeSection loaded: edgegdi.dllJump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                              Source: Lu4421.exeStatic file information: File size 5865472 > 1048576
                              Source: Lu4421.exeStatic PE information: Raw size of is bigger than: 0x100000 < 0x394000
                              Source: Lu4421.exeStatic PE information: Raw size of iubcysyr is bigger than: 0x100000 < 0x1ff400
                              Source: Binary string: +costura.newtonsoft.json.bson.pdb.compressed source: Lu4421.exe, 00000000.00000002.27383588111.000001F5B8BA1000.00000004.00000800.00020000.00000000.sdmp
                              Source: Binary string: costura.newtonsoft.json.bson.pdb.compressed source: Lu4421.exe
                              Source: Binary string: costura.wpf.ui.pdb.compressed|||Wpf.Ui.pdb|299223DFCADFE8FD464F218CE110C10266AB22B0|139288 source: Lu4421.exe
                              Source: Binary string: .costura.icsharpcode.sharpziplib.pdb.compressed source: Lu4421.exe, 00000000.00000002.27383588111.000001F5B8BA1000.00000004.00000800.00020000.00000000.sdmp
                              Source: Binary string: costura.newtonsoft.json.bson.pdb.compressed|||Newtonsoft.Json.Bson.pdb|8D66819B2D5D4D2CFADB7660B1869A81C5DB7E9F|26968 source: Lu4421.exe
                              Source: Binary string: costura=costura.costura.dll.compressed=costura.costura.pdb.compressed/icsharpcode.sharpziplib]costura.icsharpcode.sharpziplib.dll.compressed]costura.icsharpcode.sharpziplib.pdb.compressed;microsoft.bcl.asyncinterfacesicostura.microsoft.bcl.asyncinterfaces.dll.compressed5microsoft.bcl.timeproviderccostura.microsoft.bcl.timeprovider.dll.compressed)newtonsoft.json.bsonWcostura.newtonsoft.json.bson.dll.compressedWcostura.newtonsoft.json.bson.pdb.compressed source: Lu4421.exe
                              Source: Binary string: costura.polly.pdb.compressed source: Lu4421.exe
                              Source: Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb! source: Lu4421.exe, 00000000.00000002.27378137289.0000000000E9A000.00000040.00000001.01000000.00000003.sdmp
                              Source: Binary string: costura.costura.pdb.compressed source: Lu4421.exe
                              Source: Binary string: costura.wpf.ui.pdb.compressed source: Lu4421.exe
                              Source: Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb source: Lu4421.exe, Lu4421.exe, 00000000.00000002.27378137289.0000000000E9A000.00000040.00000001.01000000.00000003.sdmp
                              Source: Binary string: !costura.polly.core.pdb.compressed source: Lu4421.exe, 00000000.00000002.27383588111.000001F5B8BA1000.00000004.00000800.00020000.00000000.sdmp
                              Source: Binary string: costura.icsharpcode.sharpziplib.pdb.compressed source: Lu4421.exe
                              Source: Binary string: costura.costura.pdb.compressed|||Costura.pdb|6C6000A5EAF8579850AB82A89BD6268776EB51AD|2608 source: Lu4421.exe
                              Source: Binary string: polly9costura.polly.dll.compressed9costura.polly.pdb.compressed source: Lu4421.exe
                              Source: Binary string: wpf.ui;costura.wpf.ui.dll.compressed;costura.wpf.ui.pdb.compressed source: Lu4421.exe
                              Source: Binary string: costura.polly.pdb.compressed|||Polly.pdb|6E4429D15FBCD96C44E391E109CB500EC2508333|83400 source: Lu4421.exe
                              Source: Binary string: costura.polly.core.pdb.compressed|||Polly.Core.pdb|C1D3F2BA348EA2F6635B8F5961AD127E831487C6|66148 source: Lu4421.exe
                              Source: Binary string: costura.icsharpcode.sharpziplib.pdb.compressed|||ICSharpCode.SharpZipLib.pdb|E1FCA83029D1440F54FB3747B240365A6DF0A598|121652 source: Lu4421.exe
                              Source: Binary string: costura.polly.core.pdb.compressed source: Lu4421.exe
                              Source: Binary string: polly.coreCcostura.polly.core.dll.compressedCcostura.polly.core.pdb.compressed source: Lu4421.exe

                              Data Obfuscation

                              barindex
                              Detected unpacking (changes PE section rights)
                              Source: C:\Users\user\Desktop\Lu4421.exeUnpacked PE file: 0.2.Lu4421.exe.b00000.0.unpack :EW;.rsrc:W;.idata :W; :EW;iubcysyr:EW;tpxtcrvz:EW;.taggant:EW; vs :ER;.rsrc:W;
                              Yara detected Costura Assembly Loader
                              Source: Yara matchFile source: Lu4421.exe, type: SAMPLE
                              Source: Yara matchFile source: 0.0.Lu4421.exe.b00000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 00000000.00000000.27331731896.0000000000B02000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000000.00000002.27383588111.000001F5B8BA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: Process Memory Space: Lu4421.exe PID: 7452, type: MEMORYSTR
                              Source: Lu4421.exeStatic PE information: 0xFFBE84BF [Sat Dec 19 14:25:03 2105 UTC]
                              Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                              Source: Lu4421.exeStatic PE information: real checksum: 0x5a3d95 should be: 0x5a3f7c
                              Source: Lu4421.exeStatic PE information: section name:
                              Source: Lu4421.exeStatic PE information: section name: .idata
                              Source: Lu4421.exeStatic PE information: section name:
                              Source: Lu4421.exeStatic PE information: section name: iubcysyr
                              Source: Lu4421.exeStatic PE information: section name: tpxtcrvz
                              Source: Lu4421.exeStatic PE information: section name: .taggant
                              Source: C:\Users\user\Desktop\Lu4421.exeCode function: 0_2_00007FFAD64023B0 push eax; iretd 0_2_00007FFAD64024A1
                              Source: C:\Users\user\Desktop\Lu4421.exeCode function: 0_2_00007FFAD640BCB4 push es; retf 0_2_00007FFAD640BCB7

                              Boot Survival

                              barindex
                              Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                              Source: C:\Users\user\Desktop\Lu4421.exeWindow searched: window name: FilemonClassJump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeWindow searched: window name: RegmonClassJump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeWindow searched: window name: FilemonClassJump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeWindow searched: window name: RegmonclassJump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                              Malware Analysis System Evasion

                              barindex
                              Yara detected AntiVM5
                              Source: Yara matchFile source: Lu4421.exe, type: SAMPLE
                              Source: Yara matchFile source: 0.0.Lu4421.exe.b00000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 00000000.00000002.27383588111.000001F5B9000000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000000.00000002.27383588111.000001F5B8FFA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000000.00000002.27383588111.000001F5B8FA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000000.00000000.27331731896.0000000000B02000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY
                              Source: Yara matchFile source: Process Memory Space: Lu4421.exe PID: 7452, type: MEMORYSTR
                              Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                              Source: C:\Users\user\Desktop\Lu4421.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                              Source: C:\Users\user\Desktop\Lu4421.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                              Source: C:\Users\user\Desktop\Lu4421.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                              Source: C:\Users\user\Desktop\Lu4421.exeMemory allocated: 1F5B89F0000 memory reserve | memory write watchJump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeMemory allocated: 1F5D0BA0000 memory reserve | memory write watchJump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeWindow / User API: threadDelayed 5893Jump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exe TID: 3332Thread sleep count: 223 > 30Jump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exe TID: 3332Thread sleep count: 207 > 30Jump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exe TID: 3332Thread sleep count: 216 > 30Jump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exe TID: 3332Thread sleep count: 205 > 30Jump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exe TID: 3332Thread sleep count: 211 > 30Jump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exe TID: 3332Thread sleep count: 33 > 30Jump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exe TID: 3332Thread sleep count: 239 > 30Jump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exe TID: 3332Thread sleep count: 39 > 30Jump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exe TID: 7404Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exe TID: 1360Thread sleep count: 5893 > 30Jump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                              Source: C:\Users\user\Desktop\Lu4421.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                              Source: C:\Users\user\Desktop\Lu4421.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: Lu4421.exe, 00000000.00000002.27383588111.000001F5B909A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA 3D
                              Source: Lu4421.exe, 00000000.00000002.27383588111.000001F5B90A3000.00000004.00000800.00020000.00000000.sdmp, Lu4421.exe, 00000000.00000002.27383588111.000001F5B909A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Microsoft Hyper-V Video
                              Source: Lu4421.exeBinary or memory string: vmicshutdown
                              Source: Lu4421.exeBinary or memory string: vmware
                              Source: Lu4421.exe, 00000000.00000002.27383588111.000001F5B90A3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft hyper-v video
                              Source: Lu4421.exeBinary or memory string: vmicvss
                              Source: Lu4421.exe, 00000000.00000002.27383588111.000001F5B90A3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware svga 3d
                              Source: Lu4421.exe, 00000000.00000002.27387534022.000001F5D10E2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll}
                              Source: Lu4421.exeBinary or memory string: VirtualMachine:
                              Source: Lu4421.exeBinary or memory string: vmicheartbeat
                              Source: C:\Users\user\Desktop\Lu4421.exeSystem information queried: ModuleInformationJump to behavior

                              Anti Debugging

                              barindex
                              Tries to detect sandboxes and other dynamic analysis tools (window names)
                              Source: C:\Users\user\Desktop\Lu4421.exeOpen window title or class name: regmonclass
                              Source: C:\Users\user\Desktop\Lu4421.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                              Source: C:\Users\user\Desktop\Lu4421.exeOpen window title or class name: procmon_window_class
                              Source: C:\Users\user\Desktop\Lu4421.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                              Source: C:\Users\user\Desktop\Lu4421.exeOpen window title or class name: filemonclass
                              Source: C:\Users\user\Desktop\Lu4421.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                              Source: C:\Users\user\Desktop\Lu4421.exeProcess queried: DebugPortJump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeProcess queried: DebugObjectHandleJump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeProcess queried: DebugPortJump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeProcess token adjusted: DebugJump to behavior
                              Source: C:\Windows\System32\taskkill.exeProcess token adjusted: DebugJump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeMemory allocated: page read and write | page guardJump to behavior

                              HIPS / PFW / Operating System Protection Evasion

                              barindex
                              Found direct / indirect Syscall (likely to bypass EDR)
                              Source: C:\Users\user\Desktop\Lu4421.exeNtQueryInformationProcess: Indirect: 0x119220BJump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeNtQuerySystemInformation: Indirect: 0x11549F0Jump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeNtQueryInformationProcess: Indirect: 0x1192062Jump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeNtQuerySystemInformation: Indirect: 0x1186806Jump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\a42235a3-5c0c-493b-8363-b541a166b8b0.bat"Jump to behavior
                              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001Jump to behavior
                              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /F /PID 7452Jump to behavior
                              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout /T 2 /NOBREAKJump to behavior
                              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /F /PID 7452Jump to behavior

                              Language, Device and Operating System Detection

                              barindex
                              Yara detected Telegram Recon
                              Source: Yara matchFile source: Lu4421.exe, type: SAMPLE
                              Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                              Source: C:\Users\user\Desktop\Lu4421.exeCode function: 0_2_0115F200 WaitForSingleObject,GetVersion,0_2_0115F200
                              Source: C:\Users\user\Desktop\Lu4421.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                              Stealing of Sensitive Information

                              barindex
                              Yara detected Stealerium
                              Source: Yara matchFile source: Lu4421.exe, type: SAMPLE
                              Source: Yara matchFile source: 0.0.Lu4421.exe.b00000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 00000000.00000000.27331731896.0000000000B02000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY
                              Found many strings related to Crypto-Wallets (likely being stolen)
                              Source: Lu4421.exeString found in binary or memory: Electrum!Electrum\wallets
                              Source: Lu4421.exeString found in binary or memory: bytecoinJaxxicom.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb
                              Source: Lu4421.exeString found in binary or memory: Exodus)Exodus\exodus.wallet
                              Source: Lu4421.exeString found in binary or memory: Ethereum#Ethereum\keystore
                              Source: Lu4421.exeString found in binary or memory: Ethereum#Ethereum\keystore
                              Source: Yara matchFile source: Lu4421.exe, type: SAMPLE
                              Source: Yara matchFile source: 0.0.Lu4421.exe.b00000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 00000000.00000000.27331731896.0000000000B02000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY

                              Remote Access Functionality

                              barindex
                              Yara detected Stealerium
                              Source: Yara matchFile source: Lu4421.exe, type: SAMPLE
                              Source: Yara matchFile source: 0.0.Lu4421.exe.b00000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 00000000.00000000.27331731896.0000000000B02000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY

                              Mitre Att&ck Matrix

                              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                              Gather Victim Identity Information1
                              Scripting                              		Valid Accounts111
                              Windows Management Instrumentation                              		1
                              Scripting                              		11
                              Process Injection                              		1
                              Masquerading                              		OS Credential Dumping331
                              Security Software Discovery                              		Remote Services1
                              Archive Collected Data                              		11
                              Encrypted Channel                              		Exfiltration Over Other Network MediumAbuse Accessibility Features
                              CredentialsDomainsDefault Accounts2
                              Command and Scripting Interpreter                              		1
                              DLL Side-Loading                              		1
                              Abuse Elevation Control Mechanism                              		11
                              Disable or Modify Tools                              		LSASS Memory261
                              Virtualization/Sandbox Evasion                              		Remote Desktop Protocol1
                              Data from Local System                              		1
                              Ingress Tool Transfer                              		Exfiltration Over BluetoothNetwork Denial of Service
                              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                              DLL Side-Loading                              		261
                              Virtualization/Sandbox Evasion                              		Security Account Manager1
                              Application Window Discovery                              		SMB/Windows Admin SharesData from Network Shared Drive2
                              Non-Application Layer Protocol                              		Automated ExfiltrationData Encrypted for Impact
                              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                              Process Injection                              		NTDS1
                              File and Directory Discovery                              		Distributed Component Object ModelInput Capture13
                              Application Layer Protocol                              		Traffic DuplicationData Destruction
                              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                              Abuse Elevation Control Mechanism                              		LSA Secrets15
                              System Information Discovery                              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                              Obfuscated Files or Information                              		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                              Software Packing                              		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                              Timestomp                              		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                              DLL Side-Loading                              		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                              Behavior Graph

                              Hide Legend

                              Legend:

                              • Process
                              • Signature
                              • Created File
                              • DNS/IP Info
                              • Is Dropped
                              • Is Windows Process
                              • Number of created Registry Values
                              • Number of created Files
                              • Visual Basic
                              • Delphi
                              • Java
                              • .Net C# or VB.NET
                              • C, C++ or other language
                              • Is malicious
                              • Internet

                              Screenshots

                              Thumbnails

                              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                              windows-stand

                              Antivirus, Machine Learning and Genetic Malware Detection

                              Initial Sample

                              SourceDetectionScannerLabelLink
                              Lu4421.exe68%ReversingLabsWin64.Trojan.Amadey
                              Lu4421.exe100%Joe Sandbox ML

                              Dropped Files

                              No Antivirus matches

                              Unpacked PE Files

                              No Antivirus matches

                              Domains

                              No Antivirus matches

                              URLs

                              SourceDetectionScannerLabelLink
                              https://szurubooru.zulipchat.com/api/v1/messages0%Avira URL Cloudsafe

                              Domains and IPs

                              Contacted Domains

                              NameIPActiveMaliciousAntivirus DetectionReputation
                              raw.githubusercontent.com
                              		185.199.111.133
                              		truefalse
                                		high

                                Contacted URLs

                                NameMaliciousAntivirus DetectionReputation
                                https://raw.githubusercontent.com/6nz/virustotal-vm-blacklist/main/gpu_list.txtfalse
                                  		high
                                  https://raw.githubusercontent.com/6nz/virustotal-vm-blacklist/main/pc_name_list.txtfalse
                                    		high
                                    https://szurubooru.zulipchat.com/api/v1/messagestrue
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://raw.githubusercontent.com/6nz/virustotal-vm-blacklist/main/MachineGuid.txtfalse
                                      		high
                                      https://raw.githubusercontent.com/6nz/virustotal-vm-blacklist/main/pc_username_list.txtfalse
                                        		high
                                        https://raw.githubusercontent.com/6nz/virustotal-vm-blacklist/main/ip_list.txtfalse
                                          		high
                                          https://raw.githubusercontent.com/6nz/virustotal-vm-blacklist/main/processes_list.txtfalse
                                            		high

                                            URLs from Memory and Binaries

                                            NameSourceMaliciousAntivirus DetectionReputation
                                            https://raw.githubusercontent.com#Lu4421.exe, 00000000.00000002.27383588111.000001F5B8FA0000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://raw.githubusercontent.comLu4421.exe, 00000000.00000002.27383588111.000001F5B8FCA000.00000004.00000800.00020000.00000000.sdmp, Lu4421.exe, 00000000.00000002.27383588111.000001F5B8FA0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://github.com/kgnfthLu4421.exefalse
                                                  		high
                                                  http://raw.githubusercontent.comLu4421.exe, 00000000.00000002.27383588111.000001F5B8FE2000.00000004.00000800.00020000.00000000.sdmp, Lu4421.exe, 00000000.00000002.27383588111.000001F5B8FD3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://github.com/kgnfth/tumblr/raw/refs/heads/main/svchost.exeLu4421.exefalse
                                                      		high
                                                      http://www.quovadis.bm0Lu4421.exe, 00000000.00000002.27388291322.000001F5D1218000.00000004.00000020.00020000.00000000.sdmp, Lu4421.exe, 00000000.00000002.27388291322.000001F5D11E0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://ocsp.quovadisoffshore.com0Lu4421.exe, 00000000.00000002.27388291322.000001F5D1218000.00000004.00000020.00020000.00000000.sdmp, Lu4421.exe, 00000000.00000002.27388291322.000001F5D11E0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameLu4421.exe, 00000000.00000002.27383588111.000001F5B8FA0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://raw.githubusercontent.com/6nz/virustotal-vm-blacklist/main/Lu4421.exefalse
                                                              		high

                                                              World Map of Contacted IPs

                                                              • No. of IPs < 25%
                                                              • 25% < No. of IPs < 50%
                                                              • 50% < No. of IPs < 75%
                                                              • 75% < No. of IPs

                                                              Public IPs

                                                              IPDomainCountryFlagASNASN NameMalicious
                                                              185.199.111.133
                                                              		raw.githubusercontent.comNetherlands
                                                              		54113FASTLYUSfalse

                                                              General Information

                                                              Joe Sandbox version:41.0.0 Charoite
                                                              Analysis ID:1577337
                                                              Start date and time:2024-12-18 12:13:13 +01:00
                                                              Joe Sandbox product:CloudBasic
                                                              Overall analysis duration:0h 4m 12s
                                                              Hypervisor based Inspection enabled:false
                                                              Report type:full
                                                              Cookbook file name:default.jbs
                                                              Analysis system description:Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 128, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
                                                              Run name:Suspected VM Detection
                                                              Number of analysed new started processes analysed:7
                                                              Number of new started drivers analysed:0
                                                              Number of existing processes analysed:0
                                                              Number of existing drivers analysed:0
                                                              Number of injected processes analysed:0
                                                              Technologies:
                                                              • HCA enabled
                                                              • EGA enabled
                                                              • AMSI enabled
                                                              Analysis Mode:default
                                                              Analysis stop reason:Timeout
                                                              Sample name:Lu4421.exe
                                                              Detection:MAL
                                                              Classification:mal100.troj.spyw.evad.winEXE@10/3@1/1
                                                              EGA Information:
                                                              • Successful, ratio: 100%
                                                              HCA Information:Failed
                                                              Cookbook Comments:
                                                              • Found application associated with file extension: .exe
                                                              • Stop behavior analysis, all processes terminated

                                                              Warnings

                                                              • Exclude process from analysis (whitelisted): dllhost.exe
                                                              • Not all processes where analyzed, report is missing behavior information
                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                                              • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                              • VT rate limit hit for: Lu4421.exe

                                                              Simulations

                                                              Behavior and APIs

                                                              TimeTypeDescription
                                                              06:15:22API Interceptor14x Sleep call for process: Lu4421.exe modified

                                                              Joe Sandbox View / Context

                                                              IPs

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              185.199.111.133cr_asm2.ps1Get hashmaliciousUnknownBrowse
                                                              • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                                              cr_asm_crypter.ps1Get hashmaliciousUnknownBrowse
                                                              • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                                              cr_asm_hiddenz.ps1Get hashmaliciousAsyncRAT, XWormBrowse
                                                              • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                                              BeginSync lnk.lnkGet hashmaliciousUnknownBrowse
                                                              • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt

                                                              Domains

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              raw.githubusercontent.comurS3jQ9qb5.jarGet hashmaliciousCan StealerBrowse
                                                              • 185.199.109.133
                                                              urS3jQ9qb5.jarGet hashmaliciousCan StealerBrowse
                                                              • 185.199.110.133
                                                              x0EMKX5G1g.exeGet hashmaliciousPureCrypter, PureLog StealerBrowse
                                                              • 185.199.108.133
                                                              x0EMKX5G1g.exeGet hashmaliciousPureCrypter, PureLog StealerBrowse
                                                              • 185.199.110.133
                                                              rbqHSouklL.exeGet hashmaliciousUnknownBrowse
                                                              • 185.199.109.133
                                                              stealer.jarGet hashmaliciousCan StealerBrowse
                                                              • 185.199.111.133
                                                              stealer.jarGet hashmaliciousCan StealerBrowse
                                                              • 185.199.109.133
                                                              mjjt5kTb4o.lnkGet hashmaliciousUnknownBrowse
                                                              • 185.199.108.133
                                                              3gJQoqWpxb.batGet hashmaliciousUnknownBrowse
                                                              • 185.199.108.133

                                                              ASNs

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              FASTLYUSdo.ps1Get hashmaliciousUnknownBrowse
                                                              • 151.101.1.91
                                                              http://trackmail.info/QLTRG66TP4/offer/00248/811/iuk7x/b4q/41/32Get hashmaliciousUnknownBrowse
                                                              • 151.101.194.208
                                                              urS3jQ9qb5.jarGet hashmaliciousCan StealerBrowse
                                                              • 185.199.109.133
                                                              urS3jQ9qb5.jarGet hashmaliciousCan StealerBrowse
                                                              • 185.199.110.133
                                                              x0EMKX5G1g.exeGet hashmaliciousPureCrypter, PureLog StealerBrowse
                                                              • 185.199.108.133
                                                              x0EMKX5G1g.exeGet hashmaliciousPureCrypter, PureLog StealerBrowse
                                                              • 185.199.110.133
                                                              http://recp.mkt81.net/ctt?m=9201264&r=MjcwMzc5ODk4MTM3S0&b=0&j=MTY4MDU5NzgyOAS2&k=Language&kx=1&kt=12&kd=//docs.google.com/drawings/d/1GBvP8EGp9_63LeC_UMSYm_dkcuk4Q6yrMmrOzMDg_wk/preview?pli=1Get hashmaliciousUnknownBrowse
                                                              • 151.101.2.137
                                                              ORDER-2412180Y6890PF57682456HTVC789378909759..jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
                                                              • 199.232.192.209
                                                              Credit Card Authorization Form.pdfGet hashmaliciousUnknownBrowse
                                                              • 151.101.129.229

                                                              JA3 Fingerprints

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              3b5074b1b5d032e5620f69f9f700ff0ehttp://trackmail.info/QLTRG66TP4/offer/00248/811/iuk7x/b4q/41/32Get hashmaliciousUnknownBrowse
                                                              • 185.199.111.133
                                                              Memo - Impairment Test 2023 MEX010B (5).jsGet hashmaliciousUnknownBrowse
                                                              • 185.199.111.133
                                                              Awb 4586109146.bat.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                              • 185.199.111.133
                                                              PO 0309494059506060609696007.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                              • 185.199.111.133
                                                              urS3jQ9qb5.jarGet hashmaliciousCan StealerBrowse
                                                              • 185.199.111.133
                                                              RFQ December-January Forcast and TCL.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                              • 185.199.111.133
                                                              x0EMKX5G1g.exeGet hashmaliciousPureCrypter, PureLog StealerBrowse
                                                              • 185.199.111.133
                                                              sldkjgsdGarDe3.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                              • 185.199.111.133
                                                              jhsdfggga13.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                              • 185.199.111.133

                                                              Dropped Files

                                                              No context

                                                              Created / dropped Files

                                                              C:\Users\user\AppData\Local\Temp\Stealerium-Latest.log

                                                              Download File
                                                              Process:C:\Users\user\Desktop\Lu4421.exe
                                                              File Type:ASCII text, with CRLF line terminators
                                                              Category:dropped
                                                              Size (bytes):956
                                                              Entropy (8bit):5.177550727578771
                                                              Encrypted:false
                                                              SSDEEP:24:oV0F4q6vwnVymWybbyou0A0ynCPySZyWHQyoYnyegyr9M:oO6vwnfK0sCV7M
                                                              MD5:3BFF8DE21606A9FE7D891542D1E6CC30
                                                              SHA1:D0D9419BE3C3B4A04A0257B2492C17AAB6209077
                                                              SHA-256:5BEF547E08E4ACDE46B23468C3C9CDC8EED97AE25C65A29AC28B3F64B447B2D6
                                                              SHA-512:FB6213E4038303931708EB38F6F5708E9B3993694554509F65D8F5F7744A351F464E0D4C7AF38B2797AEE5666D7251A67956197752498275910B89F0C5405629
                                                              Malicious:false
                                                              Reputation:low
                                                              Preview:[2024-12-18 06:15:22.657] HideFile : Adding 'hidden' attribute to file C:\Users\user\AppData\Local\14836e48a4f1130117893c60780cbd57..[2024-12-18 06:16:30.596] AntiAnalysis: Successfully loaded 'MachineGuids' list with 30 entries...[2024-12-18 06:16:30.612] AntiAnalysis: Successfully loaded 'GPUs' list with 99 entries...[2024-12-18 06:16:39.777] AntiAnalysis: Successfully loaded 'Processes' list with 2 entries...[2024-12-18 06:16:39.808] AntiAnalysis: Successfully loaded 'PCUsernames' list with 143 entries...[2024-12-18 06:16:39.839] AntiAnalysis: Successfully loaded 'PCNames' list with 230 entries...[2024-12-18 06:16:48.927] AntiAnalysis: Successfully loaded 'IPs' list with 203 entries...[2024-12-18 06:16:48.974] AntiAnalysis: Suspicious GPU detected: Intel(R) UHD Graphics 630..[2024-12-18 06:16:48.989] AntiAnalysis: Suspicious GPU detected! Self-destructing.....[2024-12-18 06:16:57.984] SelfDestruct: Initiating self-destruct procedure.....

                                                              C:\Users\user\AppData\Local\Temp\a42235a3-5c0c-493b-8363-b541a166b8b0.bat

                                                              Download File
                                                              Process:C:\Users\user\Desktop\Lu4421.exe
                                                              File Type:ASCII text, with CRLF line terminators
                                                              Category:modified
                                                              Size (bytes):153
                                                              Entropy (8bit):5.381525183032284
                                                              Encrypted:false
                                                              SSDEEP:3:HFTulK1shFzXCOL2STtv/K025PONtkE2J5xAIsHP9A+VdghTvn:sgyL2SZX2PCN23fwP9H0pn
                                                              MD5:77AAA6FAF79476225D80881E8DC5103D
                                                              SHA1:FF823400433BB5B1DBDB85D5363262DF91F5410F
                                                              SHA-256:B5B8EF4AB646E09839E3FEC1BF4C5265765E3797C8C456AB5A74BBFA4D206F53
                                                              SHA-512:295B86175ADC2B9766A54D39E5D702B2EE84D7B28182B49E9439AAE0B6C6262AB20E7C71AD34015AE8EBCCEF3660E137CB30DBDEE58836BC3BE60B148F3217AE
                                                              Malicious:false
                                                              Reputation:low
                                                              Preview:chcp 65001..taskkill /F /PID 7452..timeout /T 2 /NOBREAK > NUL..del /F /Q "C:\Users\user\AppData\Local\Temp\a42235a3-5c0c-493b-8363-b541a166b8b0.bat"..

                                                              \Device\Null

                                                              Download File
                                                              Process:C:\Windows\System32\timeout.exe
                                                              File Type:ASCII text, with CRLF line terminators, with overstriking
                                                              Category:dropped
                                                              Size (bytes):55
                                                              Entropy (8bit):4.5991860770036785
                                                              Encrypted:false
                                                              SSDEEP:3:hYF8AgARcWmFsFJQZaVy:hYF/mFSQZas
                                                              MD5:471500D11DAF370CB75C597A4B1A7654
                                                              SHA1:1AC2D4BDA1A30E09287F680C2AD75C577B096898
                                                              SHA-256:C751BAFF37E4DC361F2C77BCC6B356159CC6178D1642244CBCD764A8DDE409B9
                                                              SHA-512:DB81C5CE33D78E5618F41738129B5E623300CEFF188D99E7173E4E524107EEDED4C3BE2F15AC4715D3D10EAC23E39841978BBD42326E5C4E016A2B938C37A855
                                                              Malicious:false
                                                              Reputation:moderate, very likely benign file
                                                              Preview:..Waiting for 2 seconds, press CTRL+C to quit ....1.0..

                                                              Static File Info

                                                              General

                                                              File type:PE32+ executable (GUI) x86-64, for MS Windows
                                                              Entropy (8bit):7.973829401437202
                                                              TrID:
                                                              • Win64 Executable GUI Net Framework (217006/5) 47.53%
                                                              • Win64 Executable GUI (202006/5) 44.25%
                                                              • Win64 Executable (generic) Net Framework (21505/4) 4.71%
                                                              • Win64 Executable (generic) (12005/4) 2.63%
                                                              • Generic Win/DOS Executable (2004/3) 0.44%
                                                              File name:Lu4421.exe
                                                              File size:5'865'472 bytes
                                                              MD5:e5358fca58c0e1b1e29eb195fb0f4675
                                                              SHA1:a114c059fed08a501c344f40d9f702f03cdebbab
                                                              SHA256:220c04c30a7dbd084fdebe00102f6340194845d8664dfd669a5549f23a1031c4
                                                              SHA512:f072704ad3ffe2ad975972453f1a58fe3ccd4061ef275e833e60b593e79e65e9955fe841e7248002046e4c35472bbc9c946457f9608fe10c92fa07a9747ea8f3
                                                              SSDEEP:98304:xkqXf0FlL9nrYAWAZi6sfLxkuahjCOeX9YG9see5GnRyCAm0makxH13r7INfWdpe:xkSIlLtzWAXAkuujCPX9YG9he5GnQCAe
                                                              TLSH:3146331473F5069AF1FB6BB4E97141119E36BA07C077EA4C1958109C0EB3789AD22FBB
                                                              File Content Preview:MZ......................@...........z...................................!..L.!This program cannot be run in DOS mode....$.......PE..d................."...0..*9..........`... ....@...... ...............................=Z...`...@......@............... .....

                                                              File Icon

                                                              Icon Hash:90cececece8e8eb0

                                                              Static PE Info

                                                              General

                                                              Entrypoint:0xd26000
                                                              Entrypoint Section:.taggant
                                                              Digitally signed:false
                                                              Imagebase:0x400000
                                                              Subsystem:windows gui
                                                              Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                              DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE
                                                              Time Stamp:0xFFBE84BF [Sat Dec 19 14:25:03 2105 UTC]
                                                              TLS Callbacks:
                                                              CLR (.Net) Version:
                                                              OS Version Major:4
                                                              OS Version Minor:0
                                                              File Version Major:4
                                                              File Version Minor:0
                                                              Subsystem Version Major:4
                                                              Subsystem Version Minor:0
                                                              Import Hash:dc12932426806b6b47a373d7ae42c21d

                                                              Entrypoint Preview

                                                              Instruction
                                                              jmp 00007FC6345E3A2Ah
                                                              divps xmm3, dqword ptr [ecx+00h]
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              jmp 00007FC6345E5A25h
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [edx], bh
                                                              add al, byte ptr [eax]
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [ecx], al
                                                              add byte ptr [eax], 00000000h
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              jnle 00007FC6345E39A2h
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              iretd
                                                              add dword ptr [eax], eax
                                                              add byte ptr [eax], cl
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [ecx], al
                                                              add byte ptr [eax], 00000000h
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add dword ptr [eax+00000000h], 00000000h
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al

                                                              Data Directories

                                                              NameVirtual AddressVirtual Size Is in Section
                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x3980850xad.idata
                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x3960000x53c.rsrc
                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                              Sections

                                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                              0x20000x3940000x394000ceec5083f285b2c1be8d061a39f91e2cunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                              .rsrc0x3960000x53c0x400fb14019a6944b144187ed32a35b67085False0.6904296875data5.659166984958865IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                              .idata 0x3980000x20000x200f556b29b2c3bed37b6a24754dd07217aFalse0.166015625data1.1919459888330979IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                              0x39a0000x38a0000x2007c37b2d3bde84d00b50b7fc7d29ad5fdunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                              iubcysyr0x7240000x2000000x1ff4005307be4cfcf1ab435746dd4c576b558cunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                              tpxtcrvz0x9240000x20000x200ff4192a5c1ad550f8e65ea3f3799fbc4False0.587890625data4.534819229507492IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                              .taggant0x9260000x40000x220096c9148d88dec28e0da1788ac9c5c22aFalse0.07192095588235294DOS executable (COM)0.9116417289365074IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                                              Resources

                                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                                              RT_VERSION0x922dd80x348data0.43214285714285716
                                                              RT_MANIFEST0x9231200x152ASCII text, with CRLF line terminators0.6479289940828402

                                                              Imports

                                                              DLLImport
                                                              kernel32.dlllstrcpy
                                                              mscoree.dll_CorExeMain

                                                              Network Behavior

                                                              Network Port Distribution

                                                              TCP Packets

                                                              TimestampSource PortDest PortSource IPDest IP
                                                              Dec 18, 2024 12:15:23.801805973 CET49746443192.168.11.20185.199.111.133
                                                              Dec 18, 2024 12:15:23.801863909 CET44349746185.199.111.133192.168.11.20
                                                              Dec 18, 2024 12:15:23.801913023 CET49747443192.168.11.20185.199.111.133
                                                              Dec 18, 2024 12:15:23.801968098 CET44349747185.199.111.133192.168.11.20
                                                              Dec 18, 2024 12:15:23.802103043 CET49746443192.168.11.20185.199.111.133
                                                              Dec 18, 2024 12:15:23.802124977 CET49747443192.168.11.20185.199.111.133
                                                              Dec 18, 2024 12:15:23.802171946 CET49748443192.168.11.20185.199.111.133
                                                              Dec 18, 2024 12:15:23.802231073 CET44349748185.199.111.133192.168.11.20
                                                              Dec 18, 2024 12:15:23.802395105 CET49748443192.168.11.20185.199.111.133
                                                              Dec 18, 2024 12:15:23.804006100 CET49749443192.168.11.20185.199.111.133
                                                              Dec 18, 2024 12:15:23.804029942 CET44349749185.199.111.133192.168.11.20
                                                              Dec 18, 2024 12:15:23.804735899 CET49749443192.168.11.20185.199.111.133
                                                              Dec 18, 2024 12:15:23.805412054 CET49750443192.168.11.20185.199.111.133
                                                              Dec 18, 2024 12:15:23.805438042 CET44349750185.199.111.133192.168.11.20
                                                              Dec 18, 2024 12:15:23.805874109 CET49750443192.168.11.20185.199.111.133
                                                              Dec 18, 2024 12:15:23.810781956 CET49751443192.168.11.20185.199.111.133
                                                              Dec 18, 2024 12:15:23.810806990 CET44349751185.199.111.133192.168.11.20
                                                              Dec 18, 2024 12:15:23.810946941 CET49751443192.168.11.20185.199.111.133
                                                              Dec 18, 2024 12:15:23.817464113 CET49751443192.168.11.20185.199.111.133
                                                              Dec 18, 2024 12:15:23.817478895 CET44349751185.199.111.133192.168.11.20
                                                              Dec 18, 2024 12:15:23.817488909 CET49748443192.168.11.20185.199.111.133
                                                              Dec 18, 2024 12:15:23.817488909 CET49746443192.168.11.20185.199.111.133
                                                              Dec 18, 2024 12:15:23.817498922 CET49747443192.168.11.20185.199.111.133
                                                              Dec 18, 2024 12:15:23.817511082 CET44349748185.199.111.133192.168.11.20
                                                              Dec 18, 2024 12:15:23.817521095 CET44349746185.199.111.133192.168.11.20
                                                              Dec 18, 2024 12:15:23.817526102 CET44349747185.199.111.133192.168.11.20
                                                              Dec 18, 2024 12:15:23.825700998 CET49749443192.168.11.20185.199.111.133
                                                              Dec 18, 2024 12:15:23.825720072 CET44349749185.199.111.133192.168.11.20
                                                              Dec 18, 2024 12:15:23.825896978 CET49750443192.168.11.20185.199.111.133
                                                              Dec 18, 2024 12:15:23.825911999 CET44349750185.199.111.133192.168.11.20
                                                              Dec 18, 2024 12:15:24.097132921 CET44349751185.199.111.133192.168.11.20
                                                              Dec 18, 2024 12:15:24.097389936 CET49751443192.168.11.20185.199.111.133
                                                              Dec 18, 2024 12:15:24.097809076 CET44349747185.199.111.133192.168.11.20
                                                              Dec 18, 2024 12:15:24.098095894 CET49747443192.168.11.20185.199.111.133
                                                              Dec 18, 2024 12:15:24.100600004 CET44349749185.199.111.133192.168.11.20
                                                              Dec 18, 2024 12:15:24.100788116 CET49749443192.168.11.20185.199.111.133
                                                              Dec 18, 2024 12:15:24.101458073 CET49751443192.168.11.20185.199.111.133
                                                              Dec 18, 2024 12:15:24.101465940 CET44349751185.199.111.133192.168.11.20
                                                              Dec 18, 2024 12:15:24.101632118 CET44349751185.199.111.133192.168.11.20
                                                              Dec 18, 2024 12:15:24.103218079 CET49749443192.168.11.20185.199.111.133
                                                              Dec 18, 2024 12:15:24.103231907 CET44349749185.199.111.133192.168.11.20
                                                              Dec 18, 2024 12:15:24.103487968 CET44349748185.199.111.133192.168.11.20
                                                              Dec 18, 2024 12:15:24.103513002 CET44349749185.199.111.133192.168.11.20
                                                              Dec 18, 2024 12:15:24.103632927 CET49747443192.168.11.20185.199.111.133
                                                              Dec 18, 2024 12:15:24.103646040 CET44349747185.199.111.133192.168.11.20
                                                              Dec 18, 2024 12:15:24.103739977 CET49748443192.168.11.20185.199.111.133
                                                              Dec 18, 2024 12:15:24.103943110 CET44349747185.199.111.133192.168.11.20
                                                              Dec 18, 2024 12:15:24.104397058 CET44349746185.199.111.133192.168.11.20
                                                              Dec 18, 2024 12:15:24.104609966 CET49746443192.168.11.20185.199.111.133
                                                              Dec 18, 2024 12:15:24.104748011 CET49748443192.168.11.20185.199.111.133
                                                              Dec 18, 2024 12:15:24.104753017 CET44349748185.199.111.133192.168.11.20
                                                              Dec 18, 2024 12:15:24.104995012 CET44349748185.199.111.133192.168.11.20
                                                              Dec 18, 2024 12:15:24.105776072 CET49746443192.168.11.20185.199.111.133
                                                              Dec 18, 2024 12:15:24.105782032 CET44349746185.199.111.133192.168.11.20
                                                              Dec 18, 2024 12:15:24.105969906 CET44349746185.199.111.133192.168.11.20
                                                              Dec 18, 2024 12:15:24.110214949 CET44349750185.199.111.133192.168.11.20
                                                              Dec 18, 2024 12:15:24.110444069 CET49750443192.168.11.20185.199.111.133
                                                              Dec 18, 2024 12:15:24.111598969 CET49750443192.168.11.20185.199.111.133
                                                              Dec 18, 2024 12:15:24.111604929 CET44349750185.199.111.133192.168.11.20
                                                              Dec 18, 2024 12:15:24.111788034 CET44349750185.199.111.133192.168.11.20
                                                              Dec 18, 2024 12:15:24.136852980 CET49751443192.168.11.20185.199.111.133
                                                              Dec 18, 2024 12:15:24.136864901 CET49750443192.168.11.20185.199.111.133
                                                              Dec 18, 2024 12:15:24.136868000 CET49747443192.168.11.20185.199.111.133
                                                              Dec 18, 2024 12:15:24.136868954 CET49749443192.168.11.20185.199.111.133
                                                              Dec 18, 2024 12:15:24.136884928 CET49748443192.168.11.20185.199.111.133
                                                              Dec 18, 2024 12:15:24.136884928 CET49746443192.168.11.20185.199.111.133
                                                              Dec 18, 2024 12:15:24.178299904 CET44349747185.199.111.133192.168.11.20
                                                              Dec 18, 2024 12:15:24.178299904 CET44349746185.199.111.133192.168.11.20
                                                              Dec 18, 2024 12:15:24.178302050 CET44349749185.199.111.133192.168.11.20
                                                              Dec 18, 2024 12:15:24.182235956 CET44349748185.199.111.133192.168.11.20
                                                              Dec 18, 2024 12:15:24.182252884 CET44349750185.199.111.133192.168.11.20
                                                              Dec 18, 2024 12:15:24.182260036 CET44349751185.199.111.133192.168.11.20
                                                              Dec 18, 2024 12:15:24.456563950 CET44349746185.199.111.133192.168.11.20
                                                              Dec 18, 2024 12:15:24.456624985 CET44349746185.199.111.133192.168.11.20
                                                              Dec 18, 2024 12:15:24.456845045 CET49746443192.168.11.20185.199.111.133
                                                              Dec 18, 2024 12:15:24.460977077 CET49746443192.168.11.20185.199.111.133
                                                              Dec 18, 2024 12:15:24.466691017 CET44349750185.199.111.133192.168.11.20
                                                              Dec 18, 2024 12:15:24.466893911 CET44349750185.199.111.133192.168.11.20
                                                              Dec 18, 2024 12:15:24.467073917 CET49750443192.168.11.20185.199.111.133
                                                              Dec 18, 2024 12:15:24.467348099 CET49750443192.168.11.20185.199.111.133
                                                              Dec 18, 2024 12:15:24.506823063 CET44349748185.199.111.133192.168.11.20
                                                              Dec 18, 2024 12:15:24.506900072 CET44349748185.199.111.133192.168.11.20
                                                              Dec 18, 2024 12:15:24.507036924 CET49748443192.168.11.20185.199.111.133
                                                              Dec 18, 2024 12:15:24.507365942 CET49748443192.168.11.20185.199.111.133
                                                              Dec 18, 2024 12:15:24.533078909 CET44349751185.199.111.133192.168.11.20
                                                              Dec 18, 2024 12:15:24.533468008 CET44349751185.199.111.133192.168.11.20
                                                              Dec 18, 2024 12:15:24.533638000 CET49751443192.168.11.20185.199.111.133
                                                              Dec 18, 2024 12:15:24.533849001 CET49751443192.168.11.20185.199.111.133
                                                              Dec 18, 2024 12:15:24.556726933 CET44349747185.199.111.133192.168.11.20
                                                              Dec 18, 2024 12:15:24.556997061 CET44349747185.199.111.133192.168.11.20
                                                              Dec 18, 2024 12:15:24.557049990 CET44349747185.199.111.133192.168.11.20
                                                              Dec 18, 2024 12:15:24.557111025 CET44349747185.199.111.133192.168.11.20
                                                              Dec 18, 2024 12:15:24.557234049 CET49747443192.168.11.20185.199.111.133
                                                              Dec 18, 2024 12:15:24.557312012 CET49747443192.168.11.20185.199.111.133
                                                              Dec 18, 2024 12:15:24.567467928 CET49747443192.168.11.20185.199.111.133
                                                              Dec 18, 2024 12:15:24.632401943 CET44349749185.199.111.133192.168.11.20
                                                              Dec 18, 2024 12:15:24.632560015 CET44349749185.199.111.133192.168.11.20
                                                              Dec 18, 2024 12:15:24.632612944 CET44349749185.199.111.133192.168.11.20
                                                              Dec 18, 2024 12:15:24.632673979 CET44349749185.199.111.133192.168.11.20
                                                              Dec 18, 2024 12:15:24.632742882 CET49749443192.168.11.20185.199.111.133
                                                              Dec 18, 2024 12:15:24.632836103 CET49749443192.168.11.20185.199.111.133
                                                              Dec 18, 2024 12:15:24.633203983 CET49749443192.168.11.20185.199.111.133

                                                              UDP Packets

                                                              TimestampSource PortDest PortSource IPDest IP
                                                              Dec 18, 2024 12:15:23.657195091 CET5198353192.168.11.201.1.1.1
                                                              Dec 18, 2024 12:15:23.792727947 CET53519831.1.1.1192.168.11.20

                                                              DNS Queries

                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                              Dec 18, 2024 12:15:23.657195091 CET192.168.11.201.1.1.10x545Standard query (0)raw.githubusercontent.comA (IP address)IN (0x0001)false

                                                              DNS Answers

                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                              Dec 18, 2024 12:15:23.792727947 CET1.1.1.1192.168.11.200x545No error (0)raw.githubusercontent.com185.199.111.133A (IP address)IN (0x0001)false
                                                              Dec 18, 2024 12:15:23.792727947 CET1.1.1.1192.168.11.200x545No error (0)raw.githubusercontent.com185.199.108.133A (IP address)IN (0x0001)false
                                                              Dec 18, 2024 12:15:23.792727947 CET1.1.1.1192.168.11.200x545No error (0)raw.githubusercontent.com185.199.109.133A (IP address)IN (0x0001)false
                                                              Dec 18, 2024 12:15:23.792727947 CET1.1.1.1192.168.11.200x545No error (0)raw.githubusercontent.com185.199.110.133A (IP address)IN (0x0001)false

                                                              HTTP Request Dependency Graph

                                                              • raw.githubusercontent.com

                                                              HTTPS Proxied Packets

                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              0192.168.11.2049751185.199.111.1334437452C:\Users\user\Desktop\Lu4421.exe
                                                              TimestampBytes transferredDirectionData
                                                              2024-12-18 11:15:24 UTC128OUTGET /6nz/virustotal-vm-blacklist/main/pc_username_list.txt HTTP/1.1
                                                              Host: raw.githubusercontent.com
                                                              Connection: Keep-Alive
                                                              2024-12-18 11:15:24 UTC896INHTTP/1.1 200 OK
                                                              Connection: close
                                                              Content-Length: 1275
                                                              Cache-Control: max-age=300
                                                              Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                                              Content-Type: text/plain; charset=utf-8
                                                              ETag: "bbf75a064e165fba2b8fcc6595e496788fe27c3185ffa2fa56d3479e12867693"
                                                              Strict-Transport-Security: max-age=31536000
                                                              X-Content-Type-Options: nosniff
                                                              X-Frame-Options: deny
                                                              X-XSS-Protection: 1; mode=block
                                                              X-GitHub-Request-Id: 88BB:34C8CF:94DE32:A35F6F:6762AECC
                                                              Accept-Ranges: bytes
                                                              Date: Wed, 18 Dec 2024 11:15:24 GMT
                                                              Via: 1.1 varnish
                                                              X-Served-By: cache-gnv1820031-GNV
                                                              X-Cache: MISS
                                                              X-Cache-Hits: 0
                                                              X-Timer: S1734520524.294015,VS0,VE173
                                                              Vary: Authorization,Accept-Encoding,Origin
                                                              Access-Control-Allow-Origin: *
                                                              Cross-Origin-Resource-Policy: cross-origin
                                                              X-Fastly-Request-ID: a1b804b47825206845b0ae584be9e936c6345dcb
                                                              Expires: Wed, 18 Dec 2024 11:20:24 GMT
                                                              Source-Age: 0
                                                              2024-12-18 11:15:24 UTC1275INData Raw: 30 35 68 30 30 47 69 30 0a 30 35 4b 76 41 55 51 4b 50 51 0a 32 31 7a 4c 75 63 55 6e 66 49 38 35 0a 33 75 32 76 39 6d 38 0a 34 33 42 79 34 0a 34 74 67 69 69 7a 73 4c 69 6d 53 0a 35 73 49 42 4b 0a 35 59 33 79 37 33 0a 67 72 65 70 65 74 65 0a 36 34 46 32 74 4b 49 71 4f 35 0a 36 4f 34 4b 79 48 68 4a 58 42 69 52 0a 37 44 42 67 64 78 75 0a 37 77 6a 6c 47 58 37 50 6a 6c 57 34 0a 38 4c 6e 66 41 61 69 39 51 64 4a 52 0a 38 4e 6c 30 43 6f 6c 4e 51 35 62 71 0a 38 56 69 7a 53 4d 0a 39 79 6a 43 50 73 45 59 49 4d 48 0a 41 62 62 79 0a 61 63 6f 78 0a 41 64 6d 69 6e 69 73 74 72 61 74 6f 72 0a 41 6d 79 0a 61 6e 64 72 65 61 0a 41 70 70 4f 6e 46 6c 79 53 75 70 70 6f 72 74 0a 41 53 50 4e 45 54 0a 61 7a 75 72 65 0a 62 61 72 62 61 72 72 61 79 0a 62 65 6e 6a 61 68 0a 42 72 75 6e
                                                              Data Ascii: 05h00Gi005KvAUQKPQ21zLucUnfI853u2v9m843By44tgiizsLimS5sIBK5Y3y73grepete64F2tKIqO56O4KyHhJXBiR7DBgdxu7wjlGX7PjlW48LnfAai9QdJR8Nl0ColNQ5bq8VizSM9yjCPsEYIMHAbbyacoxAdministratorAmyandreaAppOnFlySupportASPNETazurebarbarraybenjahBrun


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              1192.168.11.2049747185.199.111.1334437452C:\Users\user\Desktop\Lu4421.exe
                                                              TimestampBytes transferredDirectionData
                                                              2024-12-18 11:15:24 UTC124OUTGET /6nz/virustotal-vm-blacklist/main/pc_name_list.txt HTTP/1.1
                                                              Host: raw.githubusercontent.com
                                                              Connection: Keep-Alive
                                                              2024-12-18 11:15:24 UTC895INHTTP/1.1 200 OK
                                                              Connection: close
                                                              Content-Length: 3145
                                                              Cache-Control: max-age=300
                                                              Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                                              Content-Type: text/plain; charset=utf-8
                                                              ETag: "72b0005e577398f4eb7596131aa14f87c4f7379acc30e24456d4830af5304467"
                                                              Strict-Transport-Security: max-age=31536000
                                                              X-Content-Type-Options: nosniff
                                                              X-Frame-Options: deny
                                                              X-XSS-Protection: 1; mode=block
                                                              X-GitHub-Request-Id: E390:38EFF:8F0816:9D895B:6762AECC
                                                              Accept-Ranges: bytes
                                                              Date: Wed, 18 Dec 2024 11:15:24 GMT
                                                              Via: 1.1 varnish
                                                              X-Served-By: cache-gnv1820024-GNV
                                                              X-Cache: MISS
                                                              X-Cache-Hits: 0
                                                              X-Timer: S1734520524.296910,VS0,VE193
                                                              Vary: Authorization,Accept-Encoding,Origin
                                                              Access-Control-Allow-Origin: *
                                                              Cross-Origin-Resource-Policy: cross-origin
                                                              X-Fastly-Request-ID: e2f944cba2b3d0ab34696c89251f75045e63475b
                                                              Expires: Wed, 18 Dec 2024 11:20:24 GMT
                                                              Source-Age: 0
                                                              2024-12-18 11:15:24 UTC1378INData Raw: 30 30 39 30 30 42 43 38 33 38 30 32 0a 30 30 39 30 30 42 43 38 33 38 30 33 0a 30 43 43 34 37 41 43 38 33 38 30 33 0a 31 38 43 39 41 43 44 46 2d 37 43 30 30 2d 34 0a 33 43 45 43 45 46 43 38 33 38 30 36 0a 36 43 34 45 37 33 33 46 2d 43 32 44 39 2d 34 0a 41 42 49 47 41 49 0a 41 43 45 50 43 0a 41 49 44 41 4e 50 43 0a 41 4c 45 4e 4d 4f 4f 53 2d 50 43 0a 41 4c 49 4f 4e 45 0a 41 50 50 4f 4e 46 4c 59 2d 56 50 53 0a 41 52 43 48 49 42 41 4c 44 50 43 0a 61 7a 75 72 65 0a 42 33 30 46 30 32 34 32 2d 31 43 36 41 2d 34 0a 42 41 52 4f 53 49 4e 4f 2d 50 43 0a 42 45 43 4b 45 52 2d 50 43 0a 42 45 45 37 33 37 30 43 2d 38 43 30 43 2d 34 0a 43 38 31 46 36 36 43 38 33 38 30 35 0a 43 41 54 57 52 49 47 48 54 0a 43 48 53 48 41 57 0a 43 4f 46 46 45 45 2d 53 48 4f 50 0a 43 4f 4d 50
                                                              Data Ascii: 00900BC8380200900BC838030CC47AC8380318C9ACDF-7C00-43CECEFC838066C4E733F-C2D9-4ABIGAIACEPCAIDANPCALENMOOS-PCALIONEAPPONFLY-VPSARCHIBALDPCazureB30F0242-1C6A-4BAROSINO-PCBECKER-PCBEE7370C-8C0C-4C81F66C83805CATWRIGHTCHSHAWCOFFEE-SHOPCOMP
                                                              2024-12-18 11:15:24 UTC1378INData Raw: 46 4f 0a 44 45 53 4b 54 4f 50 2d 4c 54 4d 43 4b 4c 41 0a 44 45 53 4b 54 4f 50 2d 4d 4a 43 36 35 30 30 0a 44 45 53 4b 54 4f 50 2d 4d 57 46 52 56 4b 48 0a 44 45 53 4b 54 4f 50 2d 4e 41 4b 46 46 4d 54 0a 44 45 53 4b 54 4f 50 2d 4e 4b 50 30 49 34 50 0a 44 45 53 4b 54 4f 50 2d 4e 4d 31 5a 50 4c 47 0a 44 45 53 4b 54 4f 50 2d 4e 54 55 37 56 55 4f 0a 44 45 53 4b 54 4f 50 2d 4f 36 46 42 4d 46 37 0a 44 45 53 4b 54 4f 50 2d 4f 37 42 49 33 50 54 0a 44 45 53 4b 54 4f 50 2d 50 41 30 46 4e 56 35 0a 44 45 53 4b 54 4f 50 2d 50 4b 51 4e 44 53 52 0a 44 45 53 4b 54 4f 50 2d 51 4c 4e 32 56 55 46 0a 44 45 53 4b 54 4f 50 2d 51 55 41 59 38 47 53 0a 44 45 53 4b 54 4f 50 2d 52 43 41 33 51 57 58 0a 44 45 53 4b 54 4f 50 2d 52 48 58 44 4b 57 57 0a 44 45 53 4b 54 4f 50 2d 52 50 34 46
                                                              Data Ascii: FODESKTOP-LTMCKLADESKTOP-MJC6500DESKTOP-MWFRVKHDESKTOP-NAKFFMTDESKTOP-NKP0I4PDESKTOP-NM1ZPLGDESKTOP-NTU7VUODESKTOP-O6FBMF7DESKTOP-O7BI3PTDESKTOP-PA0FNV5DESKTOP-PKQNDSRDESKTOP-QLN2VUFDESKTOP-QUAY8GSDESKTOP-RCA3QWXDESKTOP-RHXDKWWDESKTOP-RP4F
                                                              2024-12-18 11:15:24 UTC389INData Raw: 45 45 4c 35 33 53 4e 0a 57 49 4e 5a 44 53 2d 31 42 48 52 56 50 51 55 0a 57 49 4e 5a 44 53 2d 32 32 55 52 4a 49 42 56 0a 57 49 4e 5a 44 53 2d 33 46 46 32 49 39 53 4e 0a 57 49 4e 5a 44 53 2d 35 4a 37 35 44 54 48 48 0a 57 49 4e 5a 44 53 2d 36 54 55 49 48 4e 37 52 0a 57 49 4e 5a 44 53 2d 38 4d 41 45 49 38 45 34 0a 57 49 4e 5a 44 53 2d 39 49 4f 37 35 53 56 47 0a 57 49 4e 5a 44 53 2d 41 4d 37 36 48 50 4b 32 0a 57 49 4e 5a 44 53 2d 42 30 33 4c 39 43 45 4f 0a 57 49 4e 5a 44 53 2d 42 4d 53 4d 44 38 4d 45 0a 57 49 4e 5a 44 53 2d 42 55 41 4f 4b 47 47 31 0a 57 49 4e 5a 44 53 2d 4b 37 56 49 4b 34 46 43 0a 57 49 4e 5a 44 53 2d 4d 49 4c 4f 42 4d 33 35 0a 57 49 4e 5a 44 53 2d 50 55 30 55 52 50 56 49 0a 57 49 4e 5a 44 53 2d 51 4e 47 4b 47 4e 35 39 0a 57 49 4e 5a 44 53 2d
                                                              Data Ascii: EEL53SNWINZDS-1BHRVPQUWINZDS-22URJIBVWINZDS-3FF2I9SNWINZDS-5J75DTHHWINZDS-6TUIHN7RWINZDS-8MAEI8E4WINZDS-9IO75SVGWINZDS-AM76HPK2WINZDS-B03L9CEOWINZDS-BMSMD8MEWINZDS-BUAOKGG1WINZDS-K7VIK4FCWINZDS-MILOBM35WINZDS-PU0URPVIWINZDS-QNGKGN59WINZDS-


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              2192.168.11.2049746185.199.111.1334437452C:\Users\user\Desktop\Lu4421.exe
                                                              TimestampBytes transferredDirectionData
                                                              2024-12-18 11:15:24 UTC123OUTGET /6nz/virustotal-vm-blacklist/main/MachineGuid.txt HTTP/1.1
                                                              Host: raw.githubusercontent.com
                                                              Connection: Keep-Alive
                                                              2024-12-18 11:15:24 UTC898INHTTP/1.1 200 OK
                                                              Connection: close
                                                              Content-Length: 1110
                                                              Cache-Control: max-age=300
                                                              Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                                              Content-Type: text/plain; charset=utf-8
                                                              ETag: "1224175461dce581d971884e2b8af67d12f105702cbcc56be1043ccc84319e42"
                                                              Strict-Transport-Security: max-age=31536000
                                                              X-Content-Type-Options: nosniff
                                                              X-Frame-Options: deny
                                                              X-XSS-Protection: 1; mode=block
                                                              X-GitHub-Request-Id: F23B:EAF46:2162FD:246DDC:67628BFA
                                                              Accept-Ranges: bytes
                                                              Date: Wed, 18 Dec 2024 11:15:24 GMT
                                                              Via: 1.1 varnish
                                                              X-Served-By: cache-pdk-kfty8610056-PDK
                                                              X-Cache: HIT
                                                              X-Cache-Hits: 0
                                                              X-Timer: S1734520524.315589,VS0,VE71
                                                              Vary: Authorization,Accept-Encoding,Origin
                                                              Access-Control-Allow-Origin: *
                                                              Cross-Origin-Resource-Policy: cross-origin
                                                              X-Fastly-Request-ID: ddbf4b9ea528d47a34aa2c62a6bf02ce56b5c1be
                                                              Expires: Wed, 18 Dec 2024 11:20:24 GMT
                                                              Source-Age: 0
                                                              2024-12-18 11:15:24 UTC1110INData Raw: 30 38 31 61 62 33 39 35 2d 35 65 38 35 2d 34 36 33 34 2d 61 63 64 62 2d 32 64 62 64 34 66 35 39 61 37 64 30 0a 30 38 39 65 36 32 31 63 2d 31 34 32 32 2d 34 38 35 36 2d 61 38 62 31 2d 33 66 31 64 62 32 30 38 63 65 39 65 0a 31 30 37 39 37 66 31 64 2d 39 36 31 33 2d 34 38 33 32 2d 62 31 61 33 2d 63 32 32 66 65 33 36 35 62 38 39 64 0a 31 35 39 34 37 38 30 32 2d 63 62 39 63 2d 34 37 38 66 2d 61 66 35 63 2d 33 33 62 31 61 62 62 64 31 62 66 65 0a 31 61 38 35 63 36 36 30 2d 31 66 39 38 2d 34 32 63 61 2d 62 31 63 62 2d 31 39 39 66 36 33 65 31 64 38 30 37 0a 32 62 35 33 36 35 66 31 2d 65 65 62 62 2d 34 31 33 35 2d 62 36 65 31 2d 34 31 33 61 61 62 32 39 39 66 63 62 0a 34 35 30 38 61 66 64 33 2d 35 66 30 35 2d 34 39 31 65 2d 62 34 39 66 2d 62 34 34 30 32 34 39 36 37
                                                              Data Ascii: 081ab395-5e85-4634-acdb-2dbd4f59a7d0089e621c-1422-4856-a8b1-3f1db208ce9e10797f1d-9613-4832-b1a3-c22fe365b89d15947802-cb9c-478f-af5c-33b1abbd1bfe1a85c660-1f98-42ca-b1cb-199f63e1d8072b5365f1-eebb-4135-b6e1-413aab299fcb4508afd3-5f05-491e-b49f-b44024967


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              3192.168.11.2049748185.199.111.1334437452C:\Users\user\Desktop\Lu4421.exe
                                                              TimestampBytes transferredDirectionData
                                                              2024-12-18 11:15:24 UTC126OUTGET /6nz/virustotal-vm-blacklist/main/processes_list.txt HTTP/1.1
                                                              Host: raw.githubusercontent.com
                                                              Connection: Keep-Alive
                                                              2024-12-18 11:15:24 UTC899INHTTP/1.1 200 OK
                                                              Connection: close
                                                              Content-Length: 31
                                                              Cache-Control: max-age=300
                                                              Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                                              Content-Type: text/plain; charset=utf-8
                                                              ETag: "b8ccbe01df84b6df59046ff7ef97fe02bbba9374a7a63f24d1c8a0b07083adca"
                                                              Strict-Transport-Security: max-age=31536000
                                                              X-Content-Type-Options: nosniff
                                                              X-Frame-Options: deny
                                                              X-XSS-Protection: 1; mode=block
                                                              X-GitHub-Request-Id: AC8C:1B4922:31EE27:363F6D:6762AECC
                                                              Accept-Ranges: bytes
                                                              Date: Wed, 18 Dec 2024 11:15:24 GMT
                                                              Via: 1.1 varnish
                                                              X-Served-By: cache-pdk-kpdk1780104-PDK
                                                              X-Cache: MISS
                                                              X-Cache-Hits: 0
                                                              X-Timer: S1734520524.317375,VS0,VE123
                                                              Vary: Authorization,Accept-Encoding,Origin
                                                              Access-Control-Allow-Origin: *
                                                              Cross-Origin-Resource-Policy: cross-origin
                                                              X-Fastly-Request-ID: 8b1cdda467c7646abd1eac1c769729f4475a7023
                                                              Expires: Wed, 18 Dec 2024 11:20:24 GMT
                                                              Source-Age: 0
                                                              2024-12-18 11:15:24 UTC31INData Raw: 56 6d 52 65 6d 6f 74 65 47 75 65 73 74 2e 65 78 65 0a 53 79 73 6d 6f 6e 36 34 2e 65 78 65 0a
                                                              Data Ascii: VmRemoteGuest.exeSysmon64.exe


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              4192.168.11.2049750185.199.111.1334437452C:\Users\user\Desktop\Lu4421.exe
                                                              TimestampBytes transferredDirectionData
                                                              2024-12-18 11:15:24 UTC120OUTGET /6nz/virustotal-vm-blacklist/main/gpu_list.txt HTTP/1.1
                                                              Host: raw.githubusercontent.com
                                                              Connection: Keep-Alive
                                                              2024-12-18 11:15:24 UTC900INHTTP/1.1 200 OK
                                                              Connection: close
                                                              Content-Length: 1246
                                                              Cache-Control: max-age=300
                                                              Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                                              Content-Type: text/plain; charset=utf-8
                                                              ETag: "30981a4a96ce3533cb33ae7620077db7a4a8377cb1ef8fcfc8a07293fa2937d6"
                                                              Strict-Transport-Security: max-age=31536000
                                                              X-Content-Type-Options: nosniff
                                                              X-Frame-Options: deny
                                                              X-XSS-Protection: 1; mode=block
                                                              X-GitHub-Request-Id: 9886:1D1AC1:33A2E1:37F431:6762AECC
                                                              Accept-Ranges: bytes
                                                              Date: Wed, 18 Dec 2024 11:15:24 GMT
                                                              Via: 1.1 varnish
                                                              X-Served-By: cache-pdk-kfty8610076-PDK
                                                              X-Cache: MISS
                                                              X-Cache-Hits: 0
                                                              X-Timer: S1734520524.320680,VS0,VE76
                                                              Vary: Authorization,Accept-Encoding,Origin
                                                              Access-Control-Allow-Origin: *
                                                              Cross-Origin-Resource-Policy: cross-origin
                                                              X-Fastly-Request-ID: eeba50ea50158949513e171d0117f0c6a6b4939f
                                                              Expires: Wed, 18 Dec 2024 11:20:24 GMT
                                                              Source-Age: 0
                                                              2024-12-18 11:15:24 UTC1246INData Raw: 32 39 5f 5f 48 45 52 45 0a 32 47 36 43 37 5a 36 31 0a 32 52 4f 5f 38 55 56 55 0a 32 53 4e 35 33 38 4b 34 0a 35 4b 42 4b 34 31 5f 4c 0a 35 4c 58 50 41 38 45 53 0a 35 50 45 43 4e 36 4c 31 0a 35 52 50 46 54 33 48 5a 0a 36 42 4f 53 34 4f 37 55 0a 36 42 5a 50 32 59 32 5f 0a 36 46 34 34 41 44 52 37 0a 36 4d 50 41 39 33 0a 37 32 32 39 48 39 47 39 0a 37 34 5a 5a 43 59 37 41 0a 37 54 42 39 47 36 50 37 0a 38 34 4b 44 31 4b 53 4b 0a 38 4e 59 47 4b 33 46 4c 0a 38 59 33 42 53 58 4b 47 0a 39 53 46 37 32 46 47 37 0a 39 5a 37 37 44 4e 34 54 0a 5f 47 33 31 45 34 36 4e 0a 5f 50 48 4c 4e 59 47 52 0a 5f 54 39 57 35 4c 48 4f 0a 41 46 52 42 52 36 54 43 0a 41 4d 44 20 52 61 64 65 6f 6e 20 48 44 20 38 36 35 30 47 0a 41 53 50 45 45 44 20 47 72 61 70 68 69 63 73 20 46 61 6d 69 6c
                                                              Data Ascii: 29__HERE2G6C7Z612RO_8UVU2SN538K45KBK41_L5LXPA8ES5PECN6L15RPFT3HZ6BOS4O7U6BZP2Y2_6F44ADR76MPA937229H9G974ZZCY7A7TB9G6P784KD1KSK8NYGK3FL8Y3BSXKG9SF72FG79Z77DN4T_G31E46N_PHLNYGR_T9W5LHOAFRBR6TCAMD Radeon HD 8650GASPEED Graphics Famil


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              5192.168.11.2049749185.199.111.1334437452C:\Users\user\Desktop\Lu4421.exe
                                                              TimestampBytes transferredDirectionData
                                                              2024-12-18 11:15:24 UTC119OUTGET /6nz/virustotal-vm-blacklist/main/ip_list.txt HTTP/1.1
                                                              Host: raw.githubusercontent.com
                                                              Connection: Keep-Alive
                                                              2024-12-18 11:15:24 UTC896INHTTP/1.1 200 OK
                                                              Connection: close
                                                              Content-Length: 2853
                                                              Cache-Control: max-age=300
                                                              Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                                              Content-Type: text/plain; charset=utf-8
                                                              ETag: "a0f0ad87a3cc1741bf24d6d8ec37619ff28dab76edf802ca5ceb0e1349232152"
                                                              Strict-Transport-Security: max-age=31536000
                                                              X-Content-Type-Options: nosniff
                                                              X-Frame-Options: deny
                                                              X-XSS-Protection: 1; mode=block
                                                              X-GitHub-Request-Id: 1ADA:2A83A6:955602:A3D74D:6762AECC
                                                              Accept-Ranges: bytes
                                                              Date: Wed, 18 Dec 2024 11:15:24 GMT
                                                              Via: 1.1 varnish
                                                              X-Served-By: cache-gnv1820023-GNV
                                                              X-Cache: MISS
                                                              X-Cache-Hits: 0
                                                              X-Timer: S1734520524.305781,VS0,VE261
                                                              Vary: Authorization,Accept-Encoding,Origin
                                                              Access-Control-Allow-Origin: *
                                                              Cross-Origin-Resource-Policy: cross-origin
                                                              X-Fastly-Request-ID: 09dc5b22c8a6faa2b24da43b4474e8e47b8fe2bf
                                                              Expires: Wed, 18 Dec 2024 11:20:24 GMT
                                                              Source-Age: 0
                                                              2024-12-18 11:15:24 UTC1378INData Raw: 31 30 2e 32 30 30 2e 31 36 39 2e 32 30 34 0a 31 30 34 2e 31 39 38 2e 31 35 35 2e 31 37 33 0a 31 30 34 2e 32 30 30 2e 31 35 31 2e 33 35 0a 31 30 39 2e 31 34 35 2e 31 37 33 2e 31 36 39 0a 31 30 39 2e 32 32 36 2e 33 37 2e 31 37 32 0a 31 30 39 2e 37 34 2e 31 35 34 2e 39 30 0a 31 30 39 2e 37 34 2e 31 35 34 2e 39 31 0a 31 30 39 2e 37 34 2e 31 35 34 2e 39 32 0a 31 34 30 2e 32 32 38 2e 32 31 2e 33 36 0a 31 34 39 2e 38 38 2e 31 31 31 2e 37 39 0a 31 35 34 2e 36 31 2e 37 31 2e 35 30 0a 31 35 34 2e 36 31 2e 37 31 2e 35 31 0a 31 37 32 2e 31 30 35 2e 38 39 2e 32 30 32 0a 31 37 34 2e 37 2e 33 32 2e 31 39 39 0a 31 37 36 2e 36 33 2e 34 2e 31 37 39 0a 31 37 38 2e 32 33 39 2e 31 36 35 2e 37 30 0a 31 38 31 2e 32 31 34 2e 31 35 33 2e 31 31 0a 31 38 35 2e 32 32 30 2e 31 30 31
                                                              Data Ascii: 10.200.169.204104.198.155.173104.200.151.35109.145.173.169109.226.37.172109.74.154.90109.74.154.91109.74.154.92140.228.21.36149.88.111.79154.61.71.50154.61.71.51172.105.89.202174.7.32.199176.63.4.179178.239.165.70181.214.153.11185.220.101
                                                              2024-12-18 11:15:24 UTC1378INData Raw: 30 2e 31 31 38 0a 32 31 33 2e 33 33 2e 31 39 30 2e 31 37 31 0a 32 31 33 2e 33 33 2e 31 39 30 2e 32 32 0a 32 31 33 2e 33 33 2e 31 39 30 2e 32 32 37 0a 32 31 33 2e 33 33 2e 31 39 30 2e 32 34 32 0a 32 31 33 2e 33 33 2e 31 39 30 2e 33 35 0a 32 31 33 2e 33 33 2e 31 39 30 2e 34 32 0a 32 31 33 2e 33 33 2e 31 39 30 2e 34 36 0a 32 31 33 2e 33 33 2e 31 39 30 2e 36 39 0a 32 31 33 2e 33 33 2e 31 39 30 2e 37 34 0a 32 33 2e 31 32 38 2e 32 34 38 2e 34 36 0a 33 34 2e 31 30 35 2e 30 2e 32 37 0a 33 34 2e 31 30 35 2e 31 38 33 2e 36 38 0a 33 34 2e 31 30 35 2e 37 32 2e 32 34 31 0a 33 34 2e 31 33 38 2e 32 35 35 2e 31 30 34 0a 33 34 2e 31 33 38 2e 39 36 2e 32 33 0a 33 34 2e 31 34 31 2e 31 34 36 2e 31 31 34 0a 33 34 2e 31 34 31 2e 32 34 35 2e 32 35 0a 33 34 2e 31 34 32 2e 37 34
                                                              Data Ascii: 0.118213.33.190.171213.33.190.22213.33.190.227213.33.190.242213.33.190.35213.33.190.42213.33.190.46213.33.190.69213.33.190.7423.128.248.4634.105.0.2734.105.183.6834.105.72.24134.138.255.10434.138.96.2334.141.146.11434.141.245.2534.142.74
                                                              2024-12-18 11:15:24 UTC97INData Raw: 35 2e 37 31 2e 36 35 0a 39 35 2e 32 35 2e 37 31 2e 37 30 0a 39 35 2e 32 35 2e 37 31 2e 38 30 0a 39 35 2e 32 35 2e 37 31 2e 38 36 0a 39 35 2e 32 35 2e 37 31 2e 38 37 0a 39 35 2e 32 35 2e 37 31 2e 38 39 0a 39 35 2e 32 35 2e 37 31 2e 39 32 0a 39 35 2e 32 35 2e 38 31 2e 32 34 0a 4e 6f 6e 65 0a
                                                              Data Ascii: 5.71.6595.25.71.7095.25.71.8095.25.71.8695.25.71.8795.25.71.8995.25.71.9295.25.81.24None


                                                              Statistics

                                                              CPU Usage

                                                              Click to jump to process

                                                              Memory Usage

                                                              Click to jump to process

                                                              High Level Behavior Distribution

                                                              Click to dive into process behavior distribution

                                                              Behavior

                                                              Click to jump to process

                                                              System Behavior

                                                              General

                                                              Target ID:0
                                                              Start time:06:15:19
                                                              Start date:18/12/2024
                                                              Path:C:\Users\user\Desktop\Lu4421.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:"C:\Users\user\Desktop\Lu4421.exe"
                                                              Imagebase:0xb00000
                                                              File size:5'865'472 bytes
                                                              MD5 hash:E5358FCA58C0E1B1E29EB195FB0F4675
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Yara matches:
                                                              • Rule: JoeSecurity_AntiVM_5, Description: Yara detected AntiVM_5, Source: 00000000.00000002.27383588111.000001F5B9000000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_AntiVM_5, Description: Yara detected AntiVM_5, Source: 00000000.00000002.27383588111.000001F5B8FFA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_AntiVM_5, Description: Yara detected AntiVM_5, Source: 00000000.00000002.27383588111.000001F5B8FA0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_Stealerium, Description: Yara detected Stealerium, Source: 00000000.00000000.27331731896.0000000000B02000.00000080.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000000.27331731896.0000000000B02000.00000080.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000000.27331731896.0000000000B02000.00000080.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_AntiVM_5, Description: Yara detected AntiVM_5, Source: 00000000.00000000.27331731896.0000000000B02000.00000080.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                              • Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: 00000000.00000000.27331731896.0000000000B02000.00000080.00000001.01000000.00000003.sdmp, Author: ditekSHen
                                                              • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.27383588111.000001F5B8BA1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                              Reputation:low
                                                              Has exited:true

                                                              General

                                                              Target ID:2
                                                              Start time:06:15:24
                                                              Start date:18/12/2024
                                                              Path:C:\Windows\System32\cmd.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\a42235a3-5c0c-493b-8363-b541a166b8b0.bat"
                                                              Imagebase:0x7ff74c050000
                                                              File size:289'792 bytes
                                                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              General

                                                              Target ID:3
                                                              Start time:06:15:24
                                                              Start date:18/12/2024
                                                              Path:C:\Windows\System32\conhost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                              Imagebase:0x7ff662720000
                                                              File size:875'008 bytes
                                                              MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              General

                                                              Target ID:4
                                                              Start time:06:15:24
                                                              Start date:18/12/2024
                                                              Path:C:\Windows\System32\chcp.com
                                                              Wow64 process (32bit):false
                                                              Commandline:chcp 65001
                                                              Imagebase:0x7ff6288d0000
                                                              File size:14'848 bytes
                                                              MD5 hash:CA9A549C17932F9CAA154B5528EBD8D4
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:moderate
                                                              Has exited:true

                                                              General

                                                              Target ID:5
                                                              Start time:06:15:24
                                                              Start date:18/12/2024
                                                              Path:C:\Windows\System32\taskkill.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:taskkill /F /PID 7452
                                                              Imagebase:0x7ff60d4c0000
                                                              File size:101'376 bytes
                                                              MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:moderate
                                                              Has exited:true

                                                              General

                                                              Target ID:6
                                                              Start time:06:15:24
                                                              Start date:18/12/2024
                                                              Path:C:\Windows\System32\timeout.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:timeout /T 2 /NOBREAK
                                                              Imagebase:0x7ff72fd70000
                                                              File size:32'768 bytes
                                                              MD5 hash:100065E21CFBBDE57CBA2838921F84D6
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:moderate
                                                              Has exited:true

                                                              Disassembly

                                                              Reset < >

                                                                Execution Graph

                                                                Execution Coverage:11.7%
                                                                Dynamic/Decrypted Code Coverage:0%
                                                                Signature Coverage:7.7%
                                                                Total number of Nodes:39
                                                                Total number of Limit Nodes:3
                                                                execution_graph 6294 1157365 6296 115736a 6294->6296 6297 1157388 6296->6297 6298 11573b7 6296->6298 6297->6298 6304 115740c 6297->6304 6300 1157493 timeGetTime 6298->6300 6301 11574bb SleepEx 6298->6301 6300->6301 6303 11577f6 6301->6303 6305 1157412 6304->6305 6306 1157493 timeGetTime 6305->6306 6307 11574bb SleepEx 6305->6307 6306->6307 6309 11577f6 6307->6309 6320 115f1a7 6322 115f1ac 6320->6322 6325 115f200 6322->6325 6324 115f1f6 6326 115f218 WaitForSingleObject 6325->6326 6328 115f243 6326->6328 6328->6324 6310 11f356c 6312 11f3571 SleepEx FindWindowA 6310->6312 6313 11f35ed 6312->6313 6314 11f35f2 Sleep FindWindowA 6312->6314 6315 11f366b Sleep FindWindowA 6314->6315 6316 11f3666 6314->6316 6315->6316 6317 11f36eb FindWindowA 6315->6317 6316->6313 6317->6316 6318 11f3754 6317->6318 6318->6316 6319 11f3761 FindWindowA 6318->6319 6319->6316 6329 115bded 6332 115be1b 6329->6332 6331 115be0e 6338 115be45 WaitForSingleObject 6332->6338 6334 115be3d WaitForSingleObject 6335 115bfd5 Sleep 6334->6335 6337 115c040 6335->6337 6337->6331 6339 115bfd5 Sleep 6338->6339 6341 115c040 6339->6341 6341->6334 6342 115d2ef 6343 115d2fb WaitForSingleObject 6342->6343 6344 115d44a 6343->6344

                                                                Executed Functions

                                                                Function 00007FFAD640AB55 Relevance: 2.0, Strings: 1, Instructions: 780COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 380 7ffad640ab55-7ffad640ab99 384 7ffad640ab9b-7ffad640abce 380->384 385 7ffad640abe4-7ffad640ac00 380->385 400 7ffad640ac2a-7ffad640ac31 384->400 401 7ffad640abd0-7ffad640abdc 384->401 387 7ffad640c2a0-7ffad640c2af 385->387 391 7ffad640c2ca-7ffad640c2e6 387->391 392 7ffad640c2b1-7ffad640c2c8 387->392 393 7ffad640c33f-7ffad640c34c 391->393 394 7ffad640c2e8-7ffad640c2eb 391->394 392->391 397 7ffad640c312-7ffad640c31f 392->397 402 7ffad640c34e-7ffad640c369 393->402 403 7ffad640c396 393->403 398 7ffad640c36c-7ffad640c379 394->398 399 7ffad640c2ed-7ffad640c309 call 7ffad640ac90 394->399 397->393 410 7ffad640c37b-7ffad640c37e 398->410 411 7ffad640c3d2-7ffad640c3d6 398->411 413 7ffad640c30e-7ffad640c31f 399->413 404 7ffad640ac7c-7ffad640ac89 400->404 405 7ffad640ac33-7ffad640ac49 400->405 418 7ffad640abdf-7ffad640ac00 401->418 419 7ffad640ac59 401->419 402->398 407 7ffad640c3d8-7ffad640c3db 403->407 408 7ffad640c398-7ffad640c39b 403->408 437 7ffad640ac8b-7ffad640ac8d 404->437 438 7ffad640acd4-7ffad640ad3e 404->438 433 7ffad640ac4a-7ffad640ac57 405->433 416 7ffad640c3dd-7ffad640c3fd 407->416 417 7ffad640c425-7ffad640c43d 407->417 414 7ffad640c41c-7ffad640c41d 408->414 415 7ffad640c39d-7ffad640c3b1 408->415 420 7ffad640c3ff-7ffad640c402 410->420 421 7ffad640c380-7ffad640c382 410->421 411->407 424 7ffad640c41f 414->424 425 7ffad640c420-7ffad640c423 414->425 480 7ffad640c3b8-7ffad640c3bb call 7ffad640ac70 415->480 442 7ffad640c43f-7ffad640c471 417->442 443 7ffad640c487-7ffad640c490 417->443 418->387 427 7ffad640ac5b-7ffad640ac76 419->427 428 7ffad640ac8f-7ffad640acb1 419->428 429 7ffad640c404-7ffad640c409 420->429 431 7ffad640c3fe 421->431 432 7ffad640c384 421->432 424->425 425->417 427->404 428->433 436 7ffad640c40a-7ffad640c40b 429->436 431->420 439 7ffad640c3c6-7ffad640c3cb 432->439 440 7ffad640c386-7ffad640c388 432->440 433->419 448 7ffad640c40d 436->448 449 7ffad640c40e 436->449 437->428 515 7ffad640ad9a-7ffad640ad9b 438->515 516 7ffad640ad40-7ffad640ad6b 438->516 446 7ffad640c3cc-7ffad640c3d1 439->446 440->429 450 7ffad640c38a 440->450 453 7ffad640c4ee-7ffad640c4f0 442->453 454 7ffad640c473-7ffad640c486 442->454 470 7ffad640c4ca-7ffad640c4ea 443->470 471 7ffad640c492-7ffad640c4c5 call 7ffad640a3d0 443->471 448->449 458 7ffad640c410-7ffad640c41a 449->458 450->446 459 7ffad640c38c-7ffad640c38e 450->459 455 7ffad640c5e3-7ffad640c603 453->455 456 7ffad640c4f6-7ffad640c4f9 453->456 454->443 466 7ffad640c65c-7ffad640c66b 455->466 467 7ffad640c605-7ffad640c608 455->467 464 7ffad640c4ff-7ffad640c523 456->464 465 7ffad640c6f6-7ffad640c716 456->465 458->414 459->436 468 7ffad640c390 459->468 464->455 477 7ffad640c76f-7ffad640c795 465->477 478 7ffad640c718-7ffad640c71b 465->478 474 7ffad640c6dc-7ffad640c6e9 466->474 475 7ffad640c66d-7ffad640c670 466->475 472 7ffad640c60a-7ffad640c611 467->472 473 7ffad640c689-7ffad640c694 467->473 468->411 476 7ffad640c392-7ffad640c394 468->476 499 7ffad640c8bd-7ffad640c903 471->499 472->466 483 7ffad640c69a-7ffad640c6b1 473->483 484 7ffad640c729-7ffad640c73a 473->484 481 7ffad640c6ec-7ffad640c6f5 474->481 475->481 482 7ffad640c672 475->482 476->403 476->458 501 7ffad640c7eb-7ffad640c7f9 477->501 502 7ffad640c797-7ffad640c798 477->502 486 7ffad640c79c-7ffad640c7ba 478->486 487 7ffad640c71d-7ffad640c724 478->487 500 7ffad640c3c0-7ffad640c3d1 call 7ffad640c3d2 480->500 481->465 493 7ffad640c674-7ffad640c688 482->493 494 7ffad640c6b9-7ffad640c6da 482->494 483->494 497 7ffad640c73c 484->497 498 7ffad640c741-7ffad640c76e 484->498 486->501 487->484 493->473 494->474 497->498 498->477 513 7ffad640c7fb-7ffad640c83d 501->513 514 7ffad640c841-7ffad640c8bc call 7ffad640a3d0 501->514 502->486 513->514 514->499 515->387 516->515
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.27390095271.00007FFAD6400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAD6400000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffad6400000_Lu4421.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: /2
                                                                • API String ID: 0-3582461605
                                                                • Opcode ID: c53810b5415dd720fde4d707978b7c34c3c56dc98c2c8619d2af5fc074bf533d
                                                                • Instruction ID: 65fbb5dfca92e057c0e8a9c0851a15dc46cd006434d28ab21dd8dd0f6c4cdc4a
                                                                • Opcode Fuzzy Hash: c53810b5415dd720fde4d707978b7c34c3c56dc98c2c8619d2af5fc074bf533d
                                                                • Instruction Fuzzy Hash: 224246B2D0D69A8FE755DB3889651B97BE0FF56320F0841BFD08DCB2D3DA2968468341
                                                                Function 00007FFAD6407DA6 Relevance: .5, Instructions: 476COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 595 7ffad6407da6-7ffad6407db3 596 7ffad6407db5-7ffad6407dbd 595->596 597 7ffad6407dbe-7ffad6407dc1 595->597 596->597 598 7ffad6407dc2-7ffad6407e1d 597->598 600 7ffad6407e1f-7ffad6407e87 598->600 603 7ffad6407e89-7ffad6407e92 600->603 604 7ffad6407ef3 600->604 603->604 605 7ffad6407e94-7ffad6407ea0 603->605 606 7ffad6407ef5-7ffad6407f1a 604->606 607 7ffad6407ed9-7ffad6407ef1 605->607 608 7ffad6407ea2-7ffad6407eb4 605->608 613 7ffad6407f86 606->613 614 7ffad6407f1c-7ffad6407f25 606->614 607->606 609 7ffad6407eb8-7ffad6407ecb 608->609 610 7ffad6407eb6 608->610 609->609 612 7ffad6407ecd-7ffad6407ed5 609->612 610->609 612->607 615 7ffad6407f88-7ffad6408030 613->615 614->613 616 7ffad6407f27-7ffad6407f33 614->616 627 7ffad6408032-7ffad640803c 615->627 628 7ffad640809e 615->628 617 7ffad6407f35-7ffad6407f47 616->617 618 7ffad6407f6c-7ffad6407f84 616->618 619 7ffad6407f49 617->619 620 7ffad6407f4b-7ffad6407f5e 617->620 618->615 619->620 620->620 622 7ffad6407f60-7ffad6407f68 620->622 622->618 627->628 629 7ffad640803e-7ffad640804b 627->629 630 7ffad64080a0-7ffad64080c9 628->630 631 7ffad6408084-7ffad640809c 629->631 632 7ffad640804d-7ffad640805f 629->632 637 7ffad64080cb-7ffad64080d6 630->637 638 7ffad6408133 630->638 631->630 633 7ffad6408063-7ffad6408076 632->633 634 7ffad6408061 632->634 633->633 636 7ffad6408078-7ffad6408080 633->636 634->633 636->631 637->638 640 7ffad64080d8-7ffad64080e6 637->640 639 7ffad6408135-7ffad64081c6 638->639 648 7ffad64081cc-7ffad64081db 639->648 641 7ffad640811f-7ffad6408131 640->641 642 7ffad64080e8-7ffad64080fa 640->642 641->639 644 7ffad64080fc 642->644 645 7ffad64080fe-7ffad6408111 642->645 644->645 645->645 646 7ffad6408113-7ffad640811b 645->646 646->641 649 7ffad64081dd 648->649 650 7ffad64081e3 648->650 649->650 651 7ffad64081e5-7ffad6408240 call 7ffad6408264 650->651 658 7ffad6408242-7ffad6408248 651->658 659 7ffad640824a 658->659 660 7ffad640824f-7ffad6408263 658->660 659->660
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.27390095271.00007FFAD6400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAD6400000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffad6400000_Lu4421.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: e7313ce53b82689dc4f4c973209a3fa01b38c018d34e044c78a341851f8374f2
                                                                • Instruction ID: dbd3a3c70f01f6c6114253b54ffad76481a27e46f71caa724c3115f6f08b499c
                                                                • Opcode Fuzzy Hash: e7313ce53b82689dc4f4c973209a3fa01b38c018d34e044c78a341851f8374f2
                                                                • Instruction Fuzzy Hash: A3F1857090CA8E8FEBA8DF28C8457E977D1FF55310F04826EE84DC7691DB7899458B82
                                                                Function 00007FFAD6408B52 Relevance: .5, Instructions: 461COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 661 7ffad6408b52-7ffad6408b5f 662 7ffad6408b6a-7ffad6408b71 661->662 663 7ffad6408b61-7ffad6408b69 661->663 664 7ffad6408b72-7ffad6408bcd 662->664 663->662 666 7ffad6408bcf-7ffad6408c37 664->666 669 7ffad6408ca3 666->669 670 7ffad6408c39-7ffad6408c42 666->670 672 7ffad6408ca5-7ffad6408cca 669->672 670->669 671 7ffad6408c44-7ffad6408c50 670->671 673 7ffad6408c52-7ffad6408c64 671->673 674 7ffad6408c89-7ffad6408ca1 671->674 678 7ffad6408ccc-7ffad6408cd5 672->678 679 7ffad6408d36 672->679 676 7ffad6408c66 673->676 677 7ffad6408c68-7ffad6408c7b 673->677 674->672 676->677 677->677 680 7ffad6408c7d-7ffad6408c85 677->680 678->679 681 7ffad6408cd7-7ffad6408ce3 678->681 682 7ffad6408d38-7ffad6408d5d 679->682 680->674 683 7ffad6408d1c-7ffad6408d34 681->683 684 7ffad6408ce5-7ffad6408cf7 681->684 689 7ffad6408dcb 682->689 690 7ffad6408d5f-7ffad6408d69 682->690 683->682 685 7ffad6408cfb-7ffad6408d0e 684->685 686 7ffad6408cf9 684->686 685->685 688 7ffad6408d10-7ffad6408d18 685->688 686->685 688->683 691 7ffad6408dcd-7ffad6408dfb 689->691 690->689 692 7ffad6408d6b-7ffad6408d78 690->692 699 7ffad6408e6b 691->699 700 7ffad6408dfd-7ffad6408e08 691->700 693 7ffad6408d7a-7ffad6408d8c 692->693 694 7ffad6408db1-7ffad6408dc9 692->694 695 7ffad6408d8e 693->695 696 7ffad6408d90-7ffad6408da3 693->696 694->691 695->696 696->696 698 7ffad6408da5-7ffad6408dad 696->698 698->694 701 7ffad6408e6d-7ffad6408f45 699->701 700->699 702 7ffad6408e0a-7ffad6408e18 700->702 712 7ffad6408f4b-7ffad6408f5a 701->712 703 7ffad6408e1a-7ffad6408e2c 702->703 704 7ffad6408e51-7ffad6408e69 702->704 706 7ffad6408e2e 703->706 707 7ffad6408e30-7ffad6408e43 703->707 704->701 706->707 707->707 709 7ffad6408e45-7ffad6408e4d 707->709 709->704 713 7ffad6408f5c 712->713 714 7ffad6408f62-7ffad6408fbc call 7ffad6408fe0 712->714 715 7ffad6408f61 713->715 714->715 722 7ffad6408fbe-7ffad6408fc4 714->722 715->714 723 7ffad6408fcb-7ffad6408fdf 722->723 724 7ffad6408fc6 722->724 724->723
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.27390095271.00007FFAD6400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAD6400000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffad6400000_Lu4421.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: acec9fa4932eda46bfd1265012134a5740895b79dd6f846df2035b468efc4e33
                                                                • Instruction ID: 3205a0b49a8b84fafaa6056980c7a276cdb976fea820f68c2ee8a16a321c9caa
                                                                • Opcode Fuzzy Hash: acec9fa4932eda46bfd1265012134a5740895b79dd6f846df2035b468efc4e33
                                                                • Instruction Fuzzy Hash: DDE1A27090CA8E8FEFA8DF28C9557E977E1EF55310F04826BD84DC7291DA78A8448B81
                                                                Function 00007FFAD6402A4F Relevance: 24.4, Strings: 19, Instructions: 640COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.27390095271.00007FFAD6400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAD6400000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffad6400000_Lu4421.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: r62$r62$r62$r62$r62$r62$r62$r62$r62$r62$r62$r62$r62$r62$r62$r62$r62$r62$r62
                                                                • API String ID: 0-1064659604
                                                                • Opcode ID: ec703c456d6c24344f0afcf9cb578f49bb10de16787b6d3a0a0f625ff1fa2930
                                                                • Instruction ID: abd2cc4e14c8b68dfefdfa0b4e696fc241d4ef6959f05458850ca574b46d8eb9
                                                                • Opcode Fuzzy Hash: ec703c456d6c24344f0afcf9cb578f49bb10de16787b6d3a0a0f625ff1fa2930
                                                                • Instruction Fuzzy Hash: 41324FB0D5895A8AEBA4EB68C8567ECB7B1FF59701F5042FAD00DD3696CE342D818B40
                                                                Function 00007FFAD6402A71 Relevance: 24.4, Strings: 19, Instructions: 639COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.27390095271.00007FFAD6400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAD6400000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffad6400000_Lu4421.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: r62$r62$r62$r62$r62$r62$r62$r62$r62$r62$r62$r62$r62$r62$r62$r62$r62$r62$r62
                                                                • API String ID: 0-1064659604
                                                                • Opcode ID: 48df91cfbabdc3eb8e04d4e566e9c0c8157f2d6b3db4598b606dfe97fffcd40a
                                                                • Instruction ID: 0a45388946b1ab139df8b88c7470760ac3b72c93fac86417dd7e9476c812e313
                                                                • Opcode Fuzzy Hash: 48df91cfbabdc3eb8e04d4e566e9c0c8157f2d6b3db4598b606dfe97fffcd40a
                                                                • Instruction Fuzzy Hash: 5F323EB0D5895E8AEBA4EB68C8567ECB7B1FF59701F5042FAD00DD3696CE342D818B40
                                                                Function 011F3571 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 131sleepCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 296 11f3571-11f35e7 SleepEx FindWindowA 297 11f35ed 296->297 298 11f35f2-11f3660 Sleep FindWindowA 296->298 299 11f37ba 297->299 300 11f366b-11f36e0 Sleep FindWindowA 298->300 301 11f3666 298->301 302 11f36eb-11f3749 FindWindowA 300->302 303 11f36e6 300->303 301->299 304 11f374f 302->304 305 11f3754-11f375b 302->305 303->299 304->299 306 11f37b5 305->306 307 11f3761-11f37aa FindWindowA 305->307 306->299 307->306 308 11f37b0 307->308 308->299
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.27378137289.0000000000E9A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                                • Associated: 00000000.00000002.27378024192.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.27378085524.0000000000E96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.27378111973.0000000000E98000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.27378137289.0000000001215000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.27378137289.0000000001224000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.27379445614.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_b00000_Lu4421.jbxd
                                                                Similarity
                                                                • API ID: FindSleepWindow
                                                                • String ID: EXPL$LASS$OW_C$WIND
                                                                • API String ID: 3078808852-207433289
                                                                • Opcode ID: 125ca1bcaa80b1564cb53e533dd46275c86e176e3d84fb49547779ef92419a5e
                                                                • Instruction ID: 507e74dbc3edd93f836747bf7f4c8d441fef6079b91407f5e9fea80742714cd0
                                                                • Opcode Fuzzy Hash: 125ca1bcaa80b1564cb53e533dd46275c86e176e3d84fb49547779ef92419a5e
                                                                • Instruction Fuzzy Hash: 5551B3B7A18941DAEB28AF75E4417E87631E304758F508600CBB946FCDDB38D1AADF04
                                                                Function 0115736A Relevance: 3.1, APIs: 2, Instructions: 128timeCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 309 115736a-1157382 310 1157431-1157434 309->310 311 1157388-11573b1 309->311 313 115743c-115743f 310->313 314 115743a-115743b 310->314 317 11573b7-11573c0 311->317 318 11573f2-1157402 call 115740c 311->318 315 1157445-115744c 313->315 316 11574bb-115773d 313->316 314->313 319 1157457-115747d 315->319 326 1157743-115774a 316->326 327 115774b-1157758 316->327 321 11573d7-11573e1 317->321 322 11573c6-11573cc 317->322 329 1157407-115740b 318->329 324 1157493-11574b5 timeGetTime 319->324 325 1157483 319->325 328 11573e7 321->328 322->328 324->316 325->324 326->327 330 115776c-1157788 327->330 331 115775e 327->331 332 1157412-115742b 328->332 333 1157455 329->333 334 115740d-1157411 329->334 336 115778e 330->336 337 115779a-115779e 330->337 331->330 332->310 333->319 334->332 336->337 338 1157794 336->338 339 11577a4 337->339 340 11577aa-11577ec SleepEx 337->340 338->337 339->340 342 11577f6-115782f 340->342 345 1157835 342->345 346 1157844-115787d call 1157882 342->346 345->346
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.27378137289.0000000000E9A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                                • Associated: 00000000.00000002.27378024192.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.27378085524.0000000000E96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.27378111973.0000000000E98000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.27378137289.0000000001215000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.27378137289.0000000001224000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.27379445614.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_b00000_Lu4421.jbxd
                                                                Similarity
                                                                • API ID: SleepTimetime
                                                                • String ID:
                                                                • API String ID: 346578373-0
                                                                • Opcode ID: 090d97d67e3c56b24820089e1cd17dbf888febfd5d525ee4b01d114f06f5c147
                                                                • Instruction ID: e4bd1823b35d3d22c36611361d9b9e8abdd9bf0cdc0be25983baff63574eb3ac
                                                                • Opcode Fuzzy Hash: 090d97d67e3c56b24820089e1cd17dbf888febfd5d525ee4b01d114f06f5c147
                                                                • Instruction Fuzzy Hash: 0C5189B7909A00CFC76D9F38D4466ED3BA1E744728BC64D24CE2527A8DD7347862CB85
                                                                Function 0115740C Relevance: 3.1, APIs: 2, Instructions: 102timeCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 350 115740c-1157434 353 115743c-115743f 350->353 354 115743a-115743b 350->354 355 1157445-115747d 353->355 356 11574bb-115773d 353->356 354->353 359 1157493-11574b5 timeGetTime 355->359 360 1157483 355->360 361 1157743-115774a 356->361 362 115774b-1157758 356->362 359->356 360->359 361->362 363 115776c-1157788 362->363 364 115775e 362->364 366 115778e 363->366 367 115779a-115779e 363->367 364->363 366->367 368 1157794 366->368 369 11577a4 367->369 370 11577aa-11577ec SleepEx 367->370 368->367 369->370 372 11577f6-115782f 370->372 375 1157835 372->375 376 1157844-115787d call 1157882 372->376 375->376
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.27378137289.0000000000E9A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                                • Associated: 00000000.00000002.27378024192.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.27378085524.0000000000E96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.27378111973.0000000000E98000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.27378137289.0000000001215000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.27378137289.0000000001224000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.27379445614.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_b00000_Lu4421.jbxd
                                                                Similarity
                                                                • API ID: SleepTimetime
                                                                • String ID:
                                                                • API String ID: 346578373-0
                                                                • Opcode ID: b6457df68ec6d91ed59d39b5697c4dfd6b51adb8db36e3446653ec0fd3fda6b1
                                                                • Instruction ID: 1f35ba71fa70773990ff40e98c30d8e0683f3c7df1a79b8fe6bdfffeab3e4879
                                                                • Opcode Fuzzy Hash: b6457df68ec6d91ed59d39b5697c4dfd6b51adb8db36e3446653ec0fd3fda6b1
                                                                • Instruction Fuzzy Hash: AD419AB7919A00CF876D9F3894465E93BE1E304728BCA8D24CE2527A8DD7343962CB85
                                                                Function 00007FFAD6400A13 Relevance: 1.5, Strings: 1, Instructions: 273COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 530 7ffad6400a13-7ffad6400a6f 533 7ffad6400a71-7ffad6400aca 530->533 534 7ffad6400acd-7ffad6400ba2 533->534 536 7ffad6400ba4-7ffad6400bd7 534->536 537 7ffad6400bda-7ffad6400cf2 534->537 536->537
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.27390095271.00007FFAD6400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAD6400000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffad6400000_Lu4421.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 4N_H
                                                                • API String ID: 0-1630378009
                                                                • Opcode ID: 59bbdc4d02c6a8a7e7325b75637e86c21bcbfb24093ba212572830502b6328e8
                                                                • Instruction ID: 1eecce43b65e683e17653843e5a9c8c6efa7de9847ce2822559f8d4d0af640cd
                                                                • Opcode Fuzzy Hash: 59bbdc4d02c6a8a7e7325b75637e86c21bcbfb24093ba212572830502b6328e8
                                                                • Instruction Fuzzy Hash: 10B192B190E7C66FCB17CBB4483A4AABFE19F1722532944EFC4C69B1A3D15C4886C716
                                                                Function 00007FFAD6400808 Relevance: 1.4, Strings: 1, Instructions: 150COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.27390095271.00007FFAD6400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAD6400000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffad6400000_Lu4421.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: x2
                                                                • API String ID: 0-890668929
                                                                • Opcode ID: 887ddc4574b73263c3779196cca3accd29ef7813382c60ac828941a160a70adb
                                                                • Instruction ID: 0977e9682ed5743521868ea7cb69a6aa8133177e9f64b7d5159a5ef6aa4904af
                                                                • Opcode Fuzzy Hash: 887ddc4574b73263c3779196cca3accd29ef7813382c60ac828941a160a70adb
                                                                • Instruction Fuzzy Hash: 0B41E393D0E7E64FE356A33C59621F97F60EF53664B0941FBD08CCB1A3E80858498392
                                                                Function 00007FFAD6403E2F Relevance: 1.3, Strings: 1, Instructions: 90COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 571 7ffad6403e2f-7ffad6403e57 call 7ffad6402630 577 7ffad6403e5f-7ffad6403f11 571->577
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.27390095271.00007FFAD6400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAD6400000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffad6400000_Lu4421.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: H
                                                                • API String ID: 0-2852464175
                                                                • Opcode ID: dee0727329c9f2757faca7a4b33c85697f9466eee9a0e6490c84db0eb6fd89b0
                                                                • Instruction ID: 363e0703bb346332bb121f530e7a6a58e9c0ff94dba6d578c624ea374e788d89
                                                                • Opcode Fuzzy Hash: dee0727329c9f2757faca7a4b33c85697f9466eee9a0e6490c84db0eb6fd89b0
                                                                • Instruction Fuzzy Hash: D82106B0B1D6464FE795E7BC84192A97BE1EF4A320B0845FAD04DC72E7DD285C86C740
                                                                Function 00007FFAD6403AB2 Relevance: 1.3, Strings: 1, Instructions: 44COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 586 7ffad6403ab2-7ffad6403ab5 call 7ffad6402598 588 7ffad6403aba-7ffad6403af8 586->588 592 7ffad6403afb-7ffad6403b11 588->592 594 7ffad6403b13 592->594
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.27390095271.00007FFAD6400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAD6400000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffad6400000_Lu4421.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: r62
                                                                • API String ID: 0-15411577
                                                                • Opcode ID: dfb0ef48be7cc7fe383e221d1a49c28c15e0f3b2d2f1f11e2e4b44867c4ca548
                                                                • Instruction ID: 6b79c0e264a6ea579ff5cc085416a98e0105d2380e58d44dd001ab14eeef89ab
                                                                • Opcode Fuzzy Hash: dfb0ef48be7cc7fe383e221d1a49c28c15e0f3b2d2f1f11e2e4b44867c4ca548
                                                                • Instruction Fuzzy Hash: EAF0A2A0D0DA5A5FEB91D7A884262BCBBE1FF4A310B0042BBC00ED36D2DE6829418741
                                                                Function 00007FFAD6400F69 Relevance: .4, Instructions: 449COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 725 7ffad6400f69-7ffad6400f8a 726 7ffad6400fd4-7ffad6400ffa 725->726 727 7ffad6400f8c-7ffad6400fa2 725->727 729 7ffad6400ffb-7ffad6400ffc 726->729 728 7ffad6400fa4-7ffad6400fa7 727->728 727->729 733 7ffad6400fa9-7ffad6400fb0 728->733 734 7ffad6401028 728->734 731 7ffad6401046 729->731 732 7ffad6400ffe-7ffad6401027 729->732 737 7ffad6401088-7ffad640108b 731->737 738 7ffad6401048-7ffad640104b 731->738 732->734 733->726 735 7ffad6401029 734->735 736 7ffad64010a2-7ffad64010ad 734->736 739 7ffad6401082-7ffad6401086 735->739 740 7ffad640102a-7ffad640102e 735->740 741 7ffad64010d5-7ffad640110a 737->741 742 7ffad640108d-7ffad640109d 737->742 743 7ffad640104d-7ffad640106b call 7ffad6400510 738->743 744 7ffad64010cc-7ffad64010cd 738->744 739->737 745 7ffad6401030-7ffad6401032 740->745 746 7ffad64010af-7ffad64010b2 740->746 754 7ffad6401166-7ffad6401183 741->754 755 7ffad640110c-7ffad6401113 741->755 742->736 775 7ffad6401070-7ffad6401074 call 7ffad6401082 743->775 747 7ffad64010d0-7ffad64010d3 744->747 748 7ffad64010cf 744->748 752 7ffad6401034 745->752 753 7ffad64010ae 745->753 751 7ffad64010b4-7ffad64010b9 746->751 747->741 748->747 756 7ffad64010ba-7ffad64010bb 751->756 757 7ffad6401076-7ffad640107b 752->757 758 7ffad6401036-7ffad6401038 752->758 753->746 767 7ffad6401185-7ffad64011af 754->767 768 7ffad64011b2-7ffad64012e2 754->768 755->754 760 7ffad64010be 756->760 761 7ffad64010bd 756->761 763 7ffad640107c-7ffad6401081 757->763 758->751 762 7ffad640103a 758->762 765 7ffad64010c0-7ffad64010ca 760->765 761->760 762->763 766 7ffad640103c-7ffad640103e 762->766 765->744 766->756 771 7ffad6401040 766->771 767->768 783 7ffad64012e5-7ffad64012fe 768->783 771->739 773 7ffad6401042-7ffad6401044 771->773 773->731 773->765 775->757 786 7ffad6401300 783->786 787 7ffad6401301-7ffad6401311 786->787 788 7ffad640134b 786->788 789 7ffad6401346-7ffad6401348 787->789 790 7ffad6401313-7ffad6401316 787->790 791 7ffad640134d-7ffad6401350 788->791 792 7ffad640137a 788->792 789->788 793 7ffad640131b-7ffad6401329 790->793 796 7ffad6401351 791->796 794 7ffad6401336-7ffad6401344 792->794 795 7ffad640137c-7ffad6401386 792->795 793->783 797 7ffad640132b-7ffad6401335 793->797 794->786 794->789 804 7ffad6401387-7ffad640138a 795->804 798 7ffad6401353-7ffad640135f 796->798 799 7ffad640138b-7ffad6401395 796->799 797->794 798->793 800 7ffad6401361-7ffad640136b 798->800 799->796 802 7ffad6401397-7ffad64013a4 799->802 808 7ffad640136c 800->808 805 7ffad64013a6-7ffad64013b0 802->805 804->799 807 7ffad64013b2-7ffad64013cb 805->807 805->808 807->804 810 7ffad64013cd-7ffad64013d0 807->810 808->805 809 7ffad640136e-7ffad6401379 808->809 809->792
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.27390095271.00007FFAD6400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAD6400000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffad6400000_Lu4421.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: d67fcdd010aba5e289390993bb818e55df0ccefb3fc9eaca9f037279935f37db
                                                                • Instruction ID: 87c3c95516d6dd007b8d7b9016bb6ffcf1da2ee80647b2ed126fe41a777feafd
                                                                • Opcode Fuzzy Hash: d67fcdd010aba5e289390993bb818e55df0ccefb3fc9eaca9f037279935f37db
                                                                • Instruction Fuzzy Hash: 3BF1DDA1D0EBDA5FE75297B449265E9BFE09F0B320B0841FBC0C98B5A7D91C184A8352
                                                                Function 00007FFAD6408766 Relevance: .3, Instructions: 335COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 811 7ffad6408766-7ffad6408773 812 7ffad640877e-7ffad6408781 811->812 813 7ffad6408775-7ffad640877d 811->813 814 7ffad6408782-7ffad64087dd 812->814 813->812 816 7ffad64087df-7ffad6408891 814->816 821 7ffad64088ff 816->821 822 7ffad6408893-7ffad640889d 816->822 824 7ffad6408901-7ffad640892a 821->824 822->821 823 7ffad640889f-7ffad64088ac 822->823 825 7ffad64088ae-7ffad64088c0 823->825 826 7ffad64088e5-7ffad64088fd 823->826 830 7ffad640892c-7ffad6408937 824->830 831 7ffad6408994 824->831 827 7ffad64088c2 825->827 828 7ffad64088c4-7ffad64088d7 825->828 826->824 827->828 828->828 832 7ffad64088d9-7ffad64088e1 828->832 830->831 833 7ffad6408939-7ffad6408947 830->833 834 7ffad6408996-7ffad6408a07 831->834 832->826 835 7ffad6408980-7ffad6408992 833->835 836 7ffad6408949-7ffad640895b 833->836 842 7ffad6408a0d-7ffad6408a1c 834->842 835->834 837 7ffad640895d 836->837 838 7ffad640895f-7ffad6408972 836->838 837->838 838->838 840 7ffad6408974-7ffad640897c 838->840 840->835 843 7ffad6408a1e 842->843 844 7ffad6408a24 842->844 843->844 845 7ffad6408a26-7ffad6408a81 call 7ffad6408aa5 844->845 852 7ffad6408a83-7ffad6408a89 845->852 853 7ffad6408a8b 852->853 854 7ffad6408a90-7ffad6408aa4 852->854 853->854
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.27390095271.00007FFAD6400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAD6400000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffad6400000_Lu4421.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: d09708956b9412340365749bd90a8d2ee0a29d740c1ab77c62383e757024f225
                                                                • Instruction ID: d9d1b905594f5d2341fc4c8e55fa77df943b09f9c24fadbf9c56ab2c5e34ff1f
                                                                • Opcode Fuzzy Hash: d09708956b9412340365749bd90a8d2ee0a29d740c1ab77c62383e757024f225
                                                                • Instruction Fuzzy Hash: A2B1B67090CA8D8FDFA9EF28C8557E93BD1EF55310F14826EE44DC7692CA34A9458B82
                                                                Function 00007FFAD6400955 Relevance: .3, Instructions: 334COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 855 7ffad6400955-7ffad6400993 859 7ffad6400995-7ffad64009ad 855->859 860 7ffad64009b0-7ffad64009f6 855->860 859->860 867 7ffad64009f9-7ffad6400a0f 860->867 869 7ffad6400a11-7ffad6400aca 867->869 872 7ffad6400acd-7ffad6400ba2 869->872 874 7ffad6400ba4-7ffad6400bd7 872->874 875 7ffad6400bda-7ffad6400cf2 872->875 874->875
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.27390095271.00007FFAD6400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAD6400000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffad6400000_Lu4421.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 61d523ec44c7e745b6d3b496fc84caf00504f2b9b58c50761a8c7712cf28ed8a
                                                                • Instruction ID: d3b0ab20e080e6d25ed5b0e90331f00e5e066d94535e64f6fe31a59ee9d2cd94
                                                                • Opcode Fuzzy Hash: 61d523ec44c7e745b6d3b496fc84caf00504f2b9b58c50761a8c7712cf28ed8a
                                                                • Instruction Fuzzy Hash: A6C1AFB190E7C66FCB17DBB4483A4AABFE19F4722071944EFC0C69B1A3D65C4886C716
                                                                Function 00007FFAD6409AD2 Relevance: .3, Instructions: 301COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.27390095271.00007FFAD6400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAD6400000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffad6400000_Lu4421.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 2c166e0e50d4258f612683db73098488b9c1cfe9d9d50fa381520c15b790ea53
                                                                • Instruction ID: 3540c06f1d84c8103cc1d9ad4ab2c117bcbe9474eb08c317bdcdb9571e3f3bc5
                                                                • Opcode Fuzzy Hash: 2c166e0e50d4258f612683db73098488b9c1cfe9d9d50fa381520c15b790ea53
                                                                • Instruction Fuzzy Hash: 82815972E0CE9A4FE799DB6CD8946A537E1FFAA31070851BBD04DC7296DD18EC468380
                                                                Function 00007FFAD640266D Relevance: .3, Instructions: 289COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.27390095271.00007FFAD6400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAD6400000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffad6400000_Lu4421.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: ea63dcfaa01c4577064e84522a56e5fc197f5d04ed495a3db0c4f6a56ae07715
                                                                • Instruction ID: c806a2fcf186db453c090bce3012eb41ebfa8553945bd49bc3716bbf4f568ead
                                                                • Opcode Fuzzy Hash: ea63dcfaa01c4577064e84522a56e5fc197f5d04ed495a3db0c4f6a56ae07715
                                                                • Instruction Fuzzy Hash: EF9116F3D0DAD64FE759DBB89D691AA7FA0FF12351B0851BBC088871C3ED2928068751
                                                                Function 00007FFAD640B9B1 Relevance: .3, Instructions: 266COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.27390095271.00007FFAD6400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAD6400000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffad6400000_Lu4421.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 96e2686f5b509a7f44a49831c3e0da3579f579f3810ef6849ba030c1b5e02782
                                                                • Instruction ID: 2d35e920d5ac6c475115fb329f080be2b2d74d0a37a7b034bcbb19ff59fed620
                                                                • Opcode Fuzzy Hash: 96e2686f5b509a7f44a49831c3e0da3579f579f3810ef6849ba030c1b5e02782
                                                                • Instruction Fuzzy Hash: 51910E31D0D7D94FE7229B3488625E9BFB0EF47320B0941FAD08DCB693C92D684A8756
                                                                Function 00007FFAD6409EB5 Relevance: .2, Instructions: 250COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.27390095271.00007FFAD6400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAD6400000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffad6400000_Lu4421.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: bf9b674076d4fca8bed60581a7cbef34a573ff9f9477e2e5943f37de86aebdf4
                                                                • Instruction ID: f08d9fe8500322df08cf601e41d253430555b52565c6e8b2988b8edd6995f930
                                                                • Opcode Fuzzy Hash: bf9b674076d4fca8bed60581a7cbef34a573ff9f9477e2e5943f37de86aebdf4
                                                                • Instruction Fuzzy Hash: 3C711E70A1990C9FDB84EB6CD499EAD7BF2FFA9311B0541A5E00DD72A2DA74EC41CB40
                                                                Function 00007FFAD6409ED0 Relevance: .2, Instructions: 236COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.27390095271.00007FFAD6400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAD6400000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffad6400000_Lu4421.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 688ec97fe63c6ad70948f80d465e3e559473bc178bb450d0e77db48a0ec582ba
                                                                • Instruction ID: ab76f225644d59fbbd3ef60e90d9b2cc78754a3bc180d8425dfec96c8b9cc1a5
                                                                • Opcode Fuzzy Hash: 688ec97fe63c6ad70948f80d465e3e559473bc178bb450d0e77db48a0ec582ba
                                                                • Instruction Fuzzy Hash: 0761FA70A1890C9FDF84EB6CD499EAD77E2FFA9311B4541A5E00DD72A2DA74EC818B40
                                                                Function 00007FFAD640C528 Relevance: .2, Instructions: 213COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.27390095271.00007FFAD6400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAD6400000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffad6400000_Lu4421.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 043d9c2874e5c14f4cadea0679c2689b50f4de559eb5956585ac1d0714038ea9
                                                                • Instruction ID: bec651d81bc56c664150e0e6b49f42086cfb7f88cbf2088f89f9f2b8aeca3beb
                                                                • Opcode Fuzzy Hash: 043d9c2874e5c14f4cadea0679c2689b50f4de559eb5956585ac1d0714038ea9
                                                                • Instruction Fuzzy Hash: A171257490864ACFDB99EF28C5409ADBBE1FF5A310F14666DC45DDB382CB34A846CB80
                                                                Function 00007FFAD640B6B9 Relevance: .2, Instructions: 208COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.27390095271.00007FFAD6400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAD6400000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffad6400000_Lu4421.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 06efa5b86e16978e0232911272e26e71bf10363839c2fda6a7fa816380691391
                                                                • Instruction ID: be5fc58e55def25dbf0196494ff15901ec4f9d9815cbf91d52dcae14990144f9
                                                                • Opcode Fuzzy Hash: 06efa5b86e16978e0232911272e26e71bf10363839c2fda6a7fa816380691391
                                                                • Instruction Fuzzy Hash: B78138B0C0D2529EE745EBB042123FCBB91AF07720F04A1BBD05D9B2D3DE6D64859B56
                                                                Function 00007FFAD640528C Relevance: .2, Instructions: 195COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.27390095271.00007FFAD6400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAD6400000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffad6400000_Lu4421.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 955dcbe21115ce7e8761713e3a2033455d6f2173b88696dd7a4fb28b8d260754
                                                                • Instruction ID: b75ee39febf1181e9e5fae5555d9514004c474ec09d54b0b5ca4e23344f757d4
                                                                • Opcode Fuzzy Hash: 955dcbe21115ce7e8761713e3a2033455d6f2173b88696dd7a4fb28b8d260754
                                                                • Instruction Fuzzy Hash: 62517D71D08A1C8FDB68DB68D845BE9BBF1FF59310F0082AAD04DD3252DE34A9858F81
                                                                Function 00007FFAD640AFCD Relevance: .2, Instructions: 191COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.27390095271.00007FFAD6400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAD6400000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffad6400000_Lu4421.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 2a3202cd7353c9fd8391375b4c7e24632756570204991fa5fb73c168ebfeeaab
                                                                • Instruction ID: 0e683d2cf362dda5292bda5c401c95641224059e88b10e38704da750b384e40d
                                                                • Opcode Fuzzy Hash: 2a3202cd7353c9fd8391375b4c7e24632756570204991fa5fb73c168ebfeeaab
                                                                • Instruction Fuzzy Hash: 5D61D3B090D7864FE749EB7884566BA7BD1EF46310F0881BED08ACB2D3DE2D6846C745
                                                                Function 00007FFAD640E5F4 Relevance: .2, Instructions: 181COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.27390095271.00007FFAD6400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAD6400000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffad6400000_Lu4421.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 52570e695ebdc409a7fe2b5a21211208c1e4a56ddcfebcd40bdcc88a2f2e30b3
                                                                • Instruction ID: eaf8fe2fe1f225d757e3bbef6a59676cd09ea3aa5e1bb41e51038441d4e8e16e
                                                                • Opcode Fuzzy Hash: 52570e695ebdc409a7fe2b5a21211208c1e4a56ddcfebcd40bdcc88a2f2e30b3
                                                                • Instruction Fuzzy Hash: C051D0B1D0DA4A4FE745EBB885565FE7BE1EF56310B1084BAC04DC7293EE28A8428341
                                                                Function 00007FFAD640C0A8 Relevance: .2, Instructions: 171COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.27390095271.00007FFAD6400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAD6400000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffad6400000_Lu4421.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: f8a46fcc05a159aabb444101d15bec301898d86e09d67c757b05ef8707ed488e
                                                                • Instruction ID: 0e773a1e74a8b75e710192ce35b7a9ce164810d41b1d20402a0c1b03719c2b01
                                                                • Opcode Fuzzy Hash: f8a46fcc05a159aabb444101d15bec301898d86e09d67c757b05ef8707ed488e
                                                                • Instruction Fuzzy Hash: 8F5105B0D0D69A8FDB45EB78C9515EE7BA1EF57310B0842BED05ECB2D2CA386846C750
                                                                Function 00007FFAD640D22D Relevance: .2, Instructions: 161COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.27390095271.00007FFAD6400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAD6400000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffad6400000_Lu4421.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 8a62ed54da5e2efb9a7a4ce39ffda92ea7ba2fd88eb01ad83984d28e596b5e04
                                                                • Instruction ID: b8841d8a1a358f820367329b5914417443033e3c6362ff8a5eb1b65542cc77e8
                                                                • Opcode Fuzzy Hash: 8a62ed54da5e2efb9a7a4ce39ffda92ea7ba2fd88eb01ad83984d28e596b5e04
                                                                • Instruction Fuzzy Hash: B5518C70908B1C8FDB58EF98D8456EDBBF1FB99310F04826BD44DD7252CA34A885CB82
                                                                Function 00007FFAD640AC05 Relevance: .1, Instructions: 138COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.27390095271.00007FFAD6400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAD6400000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffad6400000_Lu4421.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: d50b9eb8dd9e7bf44aa194386a98763e25a8a42702b8d7a9f2262f5f734eebd8
                                                                • Instruction ID: ec6384dc9af721a8c2b4755d2d86f0279b3917945c3418a55e61e50e4a49f62f
                                                                • Opcode Fuzzy Hash: d50b9eb8dd9e7bf44aa194386a98763e25a8a42702b8d7a9f2262f5f734eebd8
                                                                • Instruction Fuzzy Hash: F4416AA2D0E7E68BE315937859194ED7B90EF53324F4992FFD08C875D3ED1924468381
                                                                Function 00007FFAD640AB70 Relevance: .1, Instructions: 123COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.27390095271.00007FFAD6400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAD6400000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffad6400000_Lu4421.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: ad806bb76636b93380966095720934ceb8966b71d03eec52ac4d958fa9e2529e
                                                                • Instruction ID: ee433c562080b7e30e5c02ab69ce6454efc236a394824d1f1c35bc5d134665ad
                                                                • Opcode Fuzzy Hash: ad806bb76636b93380966095720934ceb8966b71d03eec52ac4d958fa9e2529e
                                                                • Instruction Fuzzy Hash: 823148A3D1E7D64BE312973859610E97BA1EF53328B4892BFD08C8B5D3FD18644A8381
                                                                Function 00007FFAD6403C59 Relevance: .1, Instructions: 120COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.27390095271.00007FFAD6400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAD6400000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffad6400000_Lu4421.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: d9093cbed40414f37bbc6532dddeab6cae9cf12e2c0ca26903a3854724e5c38d
                                                                • Instruction ID: 99f3b1ca004523ed0f6cc23a116b4ead5b0fc1526ebe3ae4c91988d50b6273b6
                                                                • Opcode Fuzzy Hash: d9093cbed40414f37bbc6532dddeab6cae9cf12e2c0ca26903a3854724e5c38d
                                                                • Instruction Fuzzy Hash: 4F3124B0D0DB8A4FE766A37884265A97FE0AF42320F0941BFD099CB6E3DD1C6C458741
                                                                Function 00007FFAD6403F3A Relevance: .1, Instructions: 114COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.27390095271.00007FFAD6400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAD6400000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffad6400000_Lu4421.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 990f796488bcc12035b4ebb3c1c709594c1249ca23ef55ec2f51f41fd0b13637
                                                                • Instruction ID: aa2a49301daeb15dccdd02ca5cf69fd6efb71e116536e9ad84ed30cfcb15dbac
                                                                • Opcode Fuzzy Hash: 990f796488bcc12035b4ebb3c1c709594c1249ca23ef55ec2f51f41fd0b13637
                                                                • Instruction Fuzzy Hash: F13104B1D0DB9A5FE752EBB888291AE7FF1FF4A314B0400AFD048C7293DA285845C741
                                                                Function 00007FFAD640E51C Relevance: .1, Instructions: 111COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.27390095271.00007FFAD6400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAD6400000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffad6400000_Lu4421.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 6b5e827d5af806a10660e485f5787ebe6f15754e4c841ffdc52e7600fc754400
                                                                • Instruction ID: 3f5e9c1903a11607c082325e80c183e3699f790a27e72b86a3119f92c5fe320e
                                                                • Opcode Fuzzy Hash: 6b5e827d5af806a10660e485f5787ebe6f15754e4c841ffdc52e7600fc754400
                                                                • Instruction Fuzzy Hash: B231A6B0D0DA495FE791E7B885266BE7BE1EF4A35171440BAC04DC7293EE2C5C86C701
                                                                Function 00007FFAD640AB90 Relevance: .1, Instructions: 110COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.27390095271.00007FFAD6400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAD6400000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffad6400000_Lu4421.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 94dfb4529b9393486dc77a51f1e10301d7c7c0d0d952db07ca92d37298a47720
                                                                • Instruction ID: 095de37e91e9f4bed86e5fc196c4771fb905c29fc792145db21c3758f6536cfe
                                                                • Opcode Fuzzy Hash: 94dfb4529b9393486dc77a51f1e10301d7c7c0d0d952db07ca92d37298a47720
                                                                • Instruction Fuzzy Hash: DA3168A3D1E7D54FE312933859250E97FA1EF93324B0892FFD08C8B5D3E95858498381
                                                                Function 00007FFAD640E98A Relevance: .1, Instructions: 104COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.27390095271.00007FFAD6400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAD6400000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffad6400000_Lu4421.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 524e9b1e4e94a52e8108340b1c07093908e130278ba2dd35e55ace13db09302b
                                                                • Instruction ID: f9a277ab80561a9246b4960638ed3bd2c9540e66f1d26413927532433a130822
                                                                • Opcode Fuzzy Hash: 524e9b1e4e94a52e8108340b1c07093908e130278ba2dd35e55ace13db09302b
                                                                • Instruction Fuzzy Hash: A731F271A5EA894FD746E37884226FABBE1EF46310F0845FED08EC7193CD5C28468305
                                                                Function 00007FFAD640A3B1 Relevance: .1, Instructions: 89COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.27390095271.00007FFAD6400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAD6400000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffad6400000_Lu4421.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 22781004534daef473fa33ddb0d069f2b9277374a73d3fa55f2effa5854cdabf
                                                                • Instruction ID: 2a70ce9f805d513885af5f5b7185123187bafc13b908db68c6884300210f58f1
                                                                • Opcode Fuzzy Hash: 22781004534daef473fa33ddb0d069f2b9277374a73d3fa55f2effa5854cdabf
                                                                • Instruction Fuzzy Hash: EC21D3B0C0E78A5FD746EBB485665EE7BE0FF06310B0405FBD449CB1A3CA2C58858761
                                                                Function 00007FFAD6403F7E Relevance: .1, Instructions: 88COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.27390095271.00007FFAD6400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAD6400000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffad6400000_Lu4421.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 50f90bbeb50e40a4fc0b1bafb45f9c9eadad5a03bc49f1f3bf1ee064fcae99e2
                                                                • Instruction ID: a0c2f95af496cee08f7a681ca0933bd77858592cdbc4cdfee02559ec3976f63a
                                                                • Opcode Fuzzy Hash: 50f90bbeb50e40a4fc0b1bafb45f9c9eadad5a03bc49f1f3bf1ee064fcae99e2
                                                                • Instruction Fuzzy Hash: C12173B090D7DA5FE752DBB489291AA7FF1EF47220B0804EBD448DB193DA1C5845C751
                                                                Function 00007FFAD640A181 Relevance: .1, Instructions: 84COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.27390095271.00007FFAD6400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAD6400000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffad6400000_Lu4421.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: e86d53b69c981054ddc7d5220657591072795f7857faf82f1fc2601a598f93b0
                                                                • Instruction ID: f6354e4c11c8a7e5016be04e7255173e737d2854e08b986c6b216088b77d699c
                                                                • Opcode Fuzzy Hash: e86d53b69c981054ddc7d5220657591072795f7857faf82f1fc2601a598f93b0
                                                                • Instruction Fuzzy Hash: 7F21B09499F2D65FE753A37818601BA7FA48F43224B0844FFE0D8CA6D3D84C088AC392
                                                                Function 00007FFAD640BDE3 Relevance: .1, Instructions: 82COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.27390095271.00007FFAD6400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAD6400000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffad6400000_Lu4421.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 55bfa661570fdcad362f852eb494d6344cd29f8b99352e8bf59d908c7018d23d
                                                                • Instruction ID: e5bc23c2680c5d1c75e4e0a89213bf33073232e40ea4f8b324d313423eb9d7b5
                                                                • Opcode Fuzzy Hash: 55bfa661570fdcad362f852eb494d6344cd29f8b99352e8bf59d908c7018d23d
                                                                • Instruction Fuzzy Hash: A6210870919A499FDB41E7B8C8125AEB7E0EF5931170401FEC00ED7292DE3DA881C781
                                                                Function 00007FFAD640C326 Relevance: .1, Instructions: 80COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.27390095271.00007FFAD6400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAD6400000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffad6400000_Lu4421.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: a315fd4d3184de6ecaff960c27298c0f6570681ee0ca3f7845cf9d95dbe99e1d
                                                                • Instruction ID: e7eb28c88187988b4371dde279470fc830024964bfb5ab8a8dc1908fbb15a212
                                                                • Opcode Fuzzy Hash: a315fd4d3184de6ecaff960c27298c0f6570681ee0ca3f7845cf9d95dbe99e1d
                                                                • Instruction Fuzzy Hash: 8F21F9B2C6C5BA8AF7B093245A112BD76D1EF4A310F449577D44CC3AC3DF38691A0681
                                                                Function 00007FFAD640BA35 Relevance: .1, Instructions: 80COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.27390095271.00007FFAD6400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAD6400000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffad6400000_Lu4421.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 04c616f822c0bd8f73ccfb4f27c0331b5163a4c6d176b61662097e6b0058b535
                                                                • Instruction ID: 40b0e21465965722c931aba19e4db7de49de23dbf1f7ecd5ffdd671e69122e0c
                                                                • Opcode Fuzzy Hash: 04c616f822c0bd8f73ccfb4f27c0331b5163a4c6d176b61662097e6b0058b535
                                                                • Instruction Fuzzy Hash: B8210AB2D0C96E0FFBB0A72849512FD76E0EF86320F549177D41DC3AC7ED1A69094A85
                                                                Function 00007FFAD64092B0 Relevance: .1, Instructions: 75COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.27390095271.00007FFAD6400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAD6400000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffad6400000_Lu4421.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: c68f7ceb55b1e9474efbf3c9f762bf54b2a75c35f0088971c647b8678efda347
                                                                • Instruction ID: ff8e06db955fed7121c51911594ed479a9ebef698d94611ab44a28c87aa27eee
                                                                • Opcode Fuzzy Hash: c68f7ceb55b1e9474efbf3c9f762bf54b2a75c35f0088971c647b8678efda347
                                                                • Instruction Fuzzy Hash: 2E21B3B0C1DA9A5FE746EBB4886A5EEBFE1AF06310F0405BED048C72D3DA2C58458751
                                                                Function 00007FFAD6402949 Relevance: .1, Instructions: 74COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.27390095271.00007FFAD6400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAD6400000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffad6400000_Lu4421.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: dc7a0283c83d2357e65948a322e508733c144e68639bee0ffb9c063dc91b7986
                                                                • Instruction ID: f947bc4278c289eb4e79c96b1264f0354dafd32ca318c75875e96b0f091c37e5
                                                                • Opcode Fuzzy Hash: dc7a0283c83d2357e65948a322e508733c144e68639bee0ffb9c063dc91b7986
                                                                • Instruction Fuzzy Hash: C921C37054DA499FDB81EBB888269EE7BF0EF1931170440AAC049DB1A3D72CAC87CB41
                                                                Function 00007FFAD640A3D0 Relevance: .1, Instructions: 71COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.27390095271.00007FFAD6400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAD6400000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffad6400000_Lu4421.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 8fcc65231535ae570e882aff56cb02ae14cac4cb8e79fd6875de5c3f4661d3ab
                                                                • Instruction ID: 9d33cb33a84b2b5747743fad96588c372e404ae319fb5e7bb6e0c48a039be9ed
                                                                • Opcode Fuzzy Hash: 8fcc65231535ae570e882aff56cb02ae14cac4cb8e79fd6875de5c3f4661d3ab
                                                                • Instruction Fuzzy Hash: A22193B0C0A78A5FD746EBB884175EEBBE0FF06310B4445FAD449D71A3DA3C59848791
                                                                Function 00007FFAD640A23D Relevance: .1, Instructions: 71COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.27390095271.00007FFAD6400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAD6400000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffad6400000_Lu4421.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: d5925df2495dc64a3384d0e6794b48977ffae33208303f67915851f3340ad4ac
                                                                • Instruction ID: 8b695cce059caa9d601fc88eb31ce356e27a169046b33b4b7975060893c73fe0
                                                                • Opcode Fuzzy Hash: d5925df2495dc64a3384d0e6794b48977ffae33208303f67915851f3340ad4ac
                                                                • Instruction Fuzzy Hash: 89110391E0EA965FE399A77C05662B92AC2EF9A320B0941BFC04DCB3D7DC0D5C458381
                                                                Function 00007FFAD640AC90 Relevance: .1, Instructions: 70COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.27390095271.00007FFAD6400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAD6400000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffad6400000_Lu4421.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 56fa9cb987009603bed792a29dabc8a0767dc367b553016813b5b612d82a3364
                                                                • Instruction ID: 5c47fa05fcd43a680b1f14ba6ade6eb1aa725b572287de3251ec3b347be44421
                                                                • Opcode Fuzzy Hash: 56fa9cb987009603bed792a29dabc8a0767dc367b553016813b5b612d82a3364
                                                                • Instruction Fuzzy Hash: B311D3B2D6887E89F7B0A3285A012BE71D1EF8E310F406537D41DD2AC2DE38391A0681
                                                                Function 00007FFAD640ABE8 Relevance: .1, Instructions: 68COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.27390095271.00007FFAD6400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAD6400000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffad6400000_Lu4421.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 6c1773c67b744a6b89c260c3742b62b1bd6e9e84be8eab3215855467d6327990
                                                                • Instruction ID: e46f333accb7be512e4abeafc91ad110d46eb2d9bd4a6de290e95b5da777101a
                                                                • Opcode Fuzzy Hash: 6c1773c67b744a6b89c260c3742b62b1bd6e9e84be8eab3215855467d6327990
                                                                • Instruction Fuzzy Hash: EF1159A2C1D7C94FE315D37449154EABBA0FF92324F48A7BFD088875E2EE6825098381
                                                                Function 00007FFAD640A250 Relevance: .1, Instructions: 63COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.27390095271.00007FFAD6400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAD6400000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffad6400000_Lu4421.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 9281623a7861a1772420bc92ae7c48adca4bfde411ffb4b8dfe074b1b4f248e0
                                                                • Instruction ID: d633475dd414883bde148dc12711f9a0858f20cc6c1e5caf0d201e856af8a038
                                                                • Opcode Fuzzy Hash: 9281623a7861a1772420bc92ae7c48adca4bfde411ffb4b8dfe074b1b4f248e0
                                                                • Instruction Fuzzy Hash: BB110491E0E9565FE3A9A77C09166BE2AC2EF8A320B0895BFD04EC73D7DC0C4C464380
                                                                Function 00007FFAD6403BD9 Relevance: .1, Instructions: 57COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.27390095271.00007FFAD6400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAD6400000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffad6400000_Lu4421.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 635353413fe50ed568ca089fa2d4af00a21eac80abbe106e0ea79d5374af6869
                                                                • Instruction ID: 03dbdb76652e5eba76a7775053a38541c189fd6953ac3b5bf700da0119c334b6
                                                                • Opcode Fuzzy Hash: 635353413fe50ed568ca089fa2d4af00a21eac80abbe106e0ea79d5374af6869
                                                                • Instruction Fuzzy Hash: D2017C7084EBC85FD703A7B4483A0AABFF0EE07214B4E44DBD489CB4A3E61C585AC312
                                                                Function 00007FFAD64028E9 Relevance: .0, Instructions: 37COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.27390095271.00007FFAD6400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAD6400000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffad6400000_Lu4421.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 5f5cb12b6a6977e49b9c8192e6c78c48b1b56a8e9114c6c6eca8e9b0dd2f39ac
                                                                • Instruction ID: 6f77dc5324d14992b47b638861b89b2d9dcb88d331e2be7ea61c4ae8de83ae7d
                                                                • Opcode Fuzzy Hash: 5f5cb12b6a6977e49b9c8192e6c78c48b1b56a8e9114c6c6eca8e9b0dd2f39ac
                                                                • Instruction Fuzzy Hash: 2AF0F63090D3C4AFDB02A73488156AA3BF1EF47300B0545FAD045CB2E3DA2D5514C752
                                                                Function 00007FFAD640BE4A Relevance: .0, Instructions: 35COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.27390095271.00007FFAD6400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAD6400000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffad6400000_Lu4421.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 15ada74f319c3d707c29c8c08094eaf1e96ec5c0b3b057fd1b0f4e9befd00589
                                                                • Instruction ID: 4cc426a376e9c4add21ff97f2831ad5c44c45c68fd27e1595663f07e83154e4a
                                                                • Opcode Fuzzy Hash: 15ada74f319c3d707c29c8c08094eaf1e96ec5c0b3b057fd1b0f4e9befd00589
                                                                • Instruction Fuzzy Hash: C1F0BE70E2890E9FDB01EBA8EC425BDB3A0FF45312F4002BAD00DD3291DE3A2455C740
                                                                Function 00007FFAD6400860 Relevance: .0, Instructions: 35COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.27390095271.00007FFAD6400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAD6400000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffad6400000_Lu4421.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 5f9b490e04e2cce179eef2d8640855c5c628ba5258177012f541b19c962bf8f7
                                                                • Instruction ID: 83bf80b3cf204ba95b31d7ed631ea7100eca5009918a30bdfabb0758306e1f07
                                                                • Opcode Fuzzy Hash: 5f9b490e04e2cce179eef2d8640855c5c628ba5258177012f541b19c962bf8f7
                                                                • Instruction Fuzzy Hash: D2F05E9380D7D94FE717237458610A87FA0BF43644B0950F7E58C8B1E7E84859488382
                                                                Function 00007FFAD6403A2E Relevance: .0, Instructions: 30COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.27390095271.00007FFAD6400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAD6400000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffad6400000_Lu4421.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 327ede260c1990122b262a819e1b3e753699b0d8042f3dcb425fda204afbb3c2
                                                                • Instruction ID: cf27294be8cfd35860f00ed4d90a6e1d54398b6ce2dba22fb3b03c82c6a3709b
                                                                • Opcode Fuzzy Hash: 327ede260c1990122b262a819e1b3e753699b0d8042f3dcb425fda204afbb3c2
                                                                • Instruction Fuzzy Hash: 47E0DF61BCA9464FEB0163BCE4221ECF3A1EF82321B4540FBC04ECB4D2DA5C28479342
                                                                Function 00007FFAD640EA8B Relevance: .0, Instructions: 27COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.27390095271.00007FFAD6400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAD6400000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffad6400000_Lu4421.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 49531339dab51b3609e9320a17fe32947dbfb9c08df86ab2fa827ddf3f56b0e2
                                                                • Instruction ID: 85ba3c03dcfffb5ac78877ef91b029e6ea430e91431c683360ab2481e473b46b
                                                                • Opcode Fuzzy Hash: 49531339dab51b3609e9320a17fe32947dbfb9c08df86ab2fa827ddf3f56b0e2
                                                                • Instruction Fuzzy Hash: 94E07D39A0CA9C4BDB54AA5DAC111D57BA4FB89308F05009BE44CC7241D7254515C341
                                                                Function 00007FFAD640E15D Relevance: .0, Instructions: 25COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.27390095271.00007FFAD6400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAD6400000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffad6400000_Lu4421.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: ffaa48e879891440d7ac722289f2d9b378318997ebbaa056e166919bdbf769fd
                                                                • Instruction ID: 1640bf4f470774e6d5c9b8b38a8e94c4ed9e0e6ae29f32412f6d863ec26416cd
                                                                • Opcode Fuzzy Hash: ffaa48e879891440d7ac722289f2d9b378318997ebbaa056e166919bdbf769fd
                                                                • Instruction Fuzzy Hash: 31E02B61F9981F09EB00B378B8165FEB2EADFC9300FC15833E50DC2187DC2C2A000280
                                                                Function 00007FFAD6403F15 Relevance: .0, Instructions: 20COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.27390095271.00007FFAD6400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAD6400000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffad6400000_Lu4421.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: eab91e9375f58422d6ed8c9430e10cc589eaa696b7316e3e2f2279d15ccb359f
                                                                • Instruction ID: cd2eaffd5329812a39849dcf96e6f111a34012fc9abc73419095b59a0e172ae9
                                                                • Opcode Fuzzy Hash: eab91e9375f58422d6ed8c9430e10cc589eaa696b7316e3e2f2279d15ccb359f
                                                                • Instruction Fuzzy Hash: 55D05E71F4480D4E5F81EB58A0456FDB7A1DF89211F440033D50CD2241CD1414824340
                                                                Function 00007FFAD6403BB1 Relevance: .0, Instructions: 18COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.27390095271.00007FFAD6400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAD6400000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffad6400000_Lu4421.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: ec256208c78661ebff79c0f74b30ff3a5e8995052fceac10feb57b8f6405e51c
                                                                • Instruction ID: f7413700c324f2d17dc4dad7dce657bd554412a3cbe3c60f30a1f78021631fdc
                                                                • Opcode Fuzzy Hash: ec256208c78661ebff79c0f74b30ff3a5e8995052fceac10feb57b8f6405e51c
                                                                • Instruction Fuzzy Hash: 41D0A93088810E6FCB01EBB8D9224EA7AA4AF46210B0014E6E07E83083DE682A548602
                                                                Function 00007FFAD6403D5B Relevance: .0, Instructions: 16COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.27390095271.00007FFAD6400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAD6400000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffad6400000_Lu4421.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 0018f1d85598f7f04b1588039409f6d523b9dc38282468e3f41fdda76d4ec8dd
                                                                • Instruction ID: 105c9f20fcf7bfa312f390d06da963ce946312bd08f62e6e00ece693a71dbdef
                                                                • Opcode Fuzzy Hash: 0018f1d85598f7f04b1588039409f6d523b9dc38282468e3f41fdda76d4ec8dd
                                                                • Instruction Fuzzy Hash: DDD05E60A0CA426FE78172FC941B7A9B9E19F54310F104179E04DC39E3CC5C59C19256
                                                                Function 00007FFAD6403E00 Relevance: .0, Instructions: 16COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.27390095271.00007FFAD6400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAD6400000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffad6400000_Lu4421.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: dd6a97afa7873352adfc7891215b37c89c2a5f89f3ab2e9209c96749b63ccd34
                                                                • Instruction ID: 64f2b3063db9f446c596b97760911fb7f3250ad1f4ec40d958b55dd238584496
                                                                • Opcode Fuzzy Hash: dd6a97afa7873352adfc7891215b37c89c2a5f89f3ab2e9209c96749b63ccd34
                                                                • Instruction Fuzzy Hash: 19D0A750E0DA426BE382B3FC94137AD65E1AF85310F10817AE04DC39E3DC0C69858212
                                                                Function 00007FFAD640E0B7 Relevance: .0, Instructions: 16COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.27390095271.00007FFAD6400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAD6400000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffad6400000_Lu4421.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: a2a54eb2a29693e13c0952ce8cf9876ce271f2b34ecc05f24d5e6dd48af65a95
                                                                • Instruction ID: 70ccb0ca4c9e6d35084769853d89121b8a7fc5f60fcef8897253739f2417a28d
                                                                • Opcode Fuzzy Hash: a2a54eb2a29693e13c0952ce8cf9876ce271f2b34ecc05f24d5e6dd48af65a95
                                                                • Instruction Fuzzy Hash: 76D01772808A064AD305DB14E44049AB7A0BF98324F440B2AA0AEA22E5DF6892868682
                                                                Function 00007FFAD6400FB6 Relevance: .0, Instructions: 13COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.27390095271.00007FFAD6400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAD6400000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffad6400000_Lu4421.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 5b6b51824f599b97db9738a0d7c4098e31bf579628f094ea307bf3b6f535e0d7
                                                                • Instruction ID: 254155956ccdd06164d00f694bcf0c49a56548d36fdc39324335b5af5a6da1c2
                                                                • Opcode Fuzzy Hash: 5b6b51824f599b97db9738a0d7c4098e31bf579628f094ea307bf3b6f535e0d7
                                                                • Instruction Fuzzy Hash: 8DC0123646C74947D315E710F4515EFB360FF91310F445B3AE04A92095ED596A498681
                                                                Function 00007FFAD640BA13 Relevance: .0, Instructions: 13COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.27390095271.00007FFAD6400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAD6400000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffad6400000_Lu4421.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 09e2653660eead324d27d4f962a1be77f345c078127810340df2f4f727df980a
                                                                • Instruction ID: bf9c6088768cb8d075591fb9e273ff6bf256ffee7a5e282ef4ef493b7d09178b
                                                                • Opcode Fuzzy Hash: 09e2653660eead324d27d4f962a1be77f345c078127810340df2f4f727df980a
                                                                • Instruction Fuzzy Hash: D3C0123245C60947D701E710E4518EFB761EF94314F440B3AE04EA10A6DD5867858681

                                                                Non-executed Functions

                                                                Function 0115F200 Relevance: 1.5, APIs: 1, Instructions: 14synchronizationCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • WaitForSingleObject.KERNEL32 ref: 0115F22E
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.27378137289.0000000000E9A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                                • Associated: 00000000.00000002.27378024192.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.27378085524.0000000000E96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.27378111973.0000000000E98000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.27378137289.0000000001215000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.27378137289.0000000001224000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.27379445614.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_b00000_Lu4421.jbxd
                                                                Similarity
                                                                • API ID: ObjectSingleWait
                                                                • String ID:
                                                                • API String ID: 24740636-0
                                                                • Opcode ID: 8d36e95842ef906194a775cef9e3b67eacf1bf11023a8f30a70f3cb859bc6891
                                                                • Instruction ID: b69424bd7829b8073adf160f84cfd571b80feafbb9b3ab2ea112f3423b4c36ed
                                                                • Opcode Fuzzy Hash: 8d36e95842ef906194a775cef9e3b67eacf1bf11023a8f30a70f3cb859bc6891
                                                                • Instruction Fuzzy Hash: 56D05EFB505022CA83688FE950400DC3791D795BFC3990F25CE3196ADDDB20A0628BD9
                                                                Function 00007FFAD640DD5A Relevance: .2, Instructions: 161COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.27390095271.00007FFAD6400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAD6400000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffad6400000_Lu4421.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 65c3364da7ffd5deb221c88dd9cd05dee83198aa01eb476ab2ebef97f38cff54
                                                                • Instruction ID: b45e9efc40077bfed4bdbecdbf629ffebcc300ee4d3e6c54628102aba3c7c1d0
                                                                • Opcode Fuzzy Hash: 65c3364da7ffd5deb221c88dd9cd05dee83198aa01eb476ab2ebef97f38cff54
                                                                • Instruction Fuzzy Hash: 9E5191D3E4EAE35FF352973849390A9AB60AF6332474DE1B7D48C4B5C3CE09640E9691